
Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



© Publication number: 



0 139 313 B1 



EUROPEAN PATENT SPECIFICATION 



© Date of publication of patent specification: 08.07.92 © Int. CI. 5 : H04L 9/00 
© Application number: 84201160.3 
© Date of filing: 13.08.84 



© Blind signature systems. 



CD 

CO 

CO 

O) 
CO 



© Priority: 22.08.83 US 524896 

© Date of publication of application: 
02.05.85 Bulletin 85/18 

© Publication of the grant of the patent: 
08.07.92 Bulletin 92/28 

© Designated Contracting States: 
AT BE CH DE FR GB IT LI NL SE 

© References cited: 

ADVANCES IN CRYPTOLOGY, PROCEEDINGS 
OF CRYPTO '82, Santa Barbara, US, 23rd-25th 
August 1982, pages 199-203, Plenum, New 
York, US; D. CHAUM: "Blind signatures for 
untraceable payments 11 

ADVANCES IN CRYPTOLOGY, PROCEEDINGS 
OF CRYPTO '83, Santa Barbara, US, 21st-24th 
August 1983, page 153, Plenum, New York, 
US; D. CHAUM: "Blind signature system" 

JOURNAL OF THE ASSOCIATION FOR COM- 
PUTING MACHINERY, vol. 21, no. 2, February 
1978, pages 120-126, New York, US; R.L. RIV- 
EST et al.: "A method for obtaining digital 
signatures and public-key cryptosystems" 



© Proprietor: SECURITY TECHNOLOGY CORPO- 
RATION 

1000 E. William Street, Suite 100 
Carson City, Nevada 89701 (US) 

@ Inventor: Chaum, David, Prof. Dr. 

Centrum voor Wiskunde en Informatica Post- 
bus 4079 

NL-1009 AB Amsterdam(NL) 

© Representative: Smulders, Theodorus A.H.J., 
Ir. et al 

Vereenigde Octrooibureaux Nieuwe Parklaan 
97 

NL-2587 BN 's-Gravenhage(NL) 



Note: Within nine months from the publication of the mention of the grant of the European patent, any person 
may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition 
shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee 
has been paid (Art. 99(1) European patent convention). 



Rank Xerox (UK) Business Services 



EP0 139 313 B1 



Description 

The invention relates to a digital signature cryptographic method for at least a first provider party and a 
second provider party to develop digital signatures checkable as corresponding to a public key of a signing 
5 party, the method comprising the steps of: 

communicating data between the first provider party and the signing party where data sent by the first 
provider party is responsive to at least a first key of the first provider party and data sent by the signing 
party is responsive to at least the private key of the signing party which is related to the public key of the 
signing party; 

10 communicating data between the second provider party and the signing party where data sent by the 
second provider party is responsive to at least a second key of the second provider party and data sent by 
the signing party is responsive to at least the private key of the signing party which is related to the public 
key of the signing party; 

processing responsive to the first key by the first provider party of data received in the communication to 
75 produce a first digital signature checkable as related to the public key of the signing party; 

processing responsive to the second key by the second provider party of data received in the communica- 
tion to produce a second digital signature checkable as corresponding to the public key of the signing 
party. 

The invention also relates to a cryptographic apparatus for at least a first provider party and a second 
20 provider party to develop digital signatures checkable as corresponding to a public key of a signing party, 
the aparatus comprising: 

means for communicating data between the first provider party and the signing party including means for 
developing data sent by the first provider party responsive to at least a first key of the first provider party, 
and means for developing data sent by the signing party responsive to at least the private key of the 

25 signing party related to the public key of the signing party; 

means for communicating data between the second provider party and the signing party including means 
for developing data sent by the second provider party responsive to at least a second key of the second 
provider party and means for developing data sent by the signing party responsive to at least the private 
key of the signing party related to the public key of the signing party; 

30 means for processing data received by the first provider party responsive to the first key to produce a first 
digital signature checkable as related to the public key of the signing party; and 

means for processing data received by the second provider party responsive to the second key to produce 
a second digital signature checkable as corresponding to the public key of the signing party. 

Such a cryptographic method and apparatus are described in Advances in Cryptology, Proceedings of 

35 Crypto '82, Santa Barbara, US, 23rd-25th August 1982, pages 199-203, Plenum, New York, US; D. Chaum: 
"Blind signatures for untraceable payments". 

The concept of digital signatures promises to be an important one in commercial applications of 
cryptographic techniques. The digital signatures concept is quite simple. Suppose a bank wishes to be able 
to make digital signatures that can be checked by all its customers. The bank develops a mathematical 

40 function, and supplies all its customers, and anyone else who cares to know, complete instructions for 
efficiency computing the function. The trick is, that when the bank developed the function, it included in it a 
trapdoor. This trapdoor allows the bank to efficiently compute the inverse of the function. Because it is 
infeasible to compute the inverse of the function without knowing the trapdoor, only the bank can compute 
the inverse of the function. Thus, if a customer of the bank sees a message that could only have been 

45 created by someone who knows how to compute the inverse of the function, then the customer knows that 
the message must have come from the bank. 

The concept of digital signatures was first proposed in the literature by Diffie, et al, in "Multiuser 
Cryptographic Techniques," AFIPS-Conference Proceedings, Vol. 45, pp. 109-112. The first really practical 
example functions with the required trapdoor properties were disclosed by Rivest, Shamir and Adleman, in 

50 "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, 
Vol. 21, No. 2, February 1978. 

This system has become known as "RSA", after its inventors, and remains the most credible candidate for 
widespread use. It is based on two main ideas. The first is that is relatively easy for someone to create a 
large number for which only he knows the prime factors. (One way to accomplish this is for the creator to 
55 form the number as the product of two suitable sufficiently large primes chosen at random. Such primes are 
easily found by random trial and error since the density of primes even in the neighborhood of 50 digit 
numbers is on the order of one percent, and reasonably efficient primality tests are well known in the art.) 
The second main idea is that knowing the prime factors of the modulus under which exponentiation is 



2 



EP 0 139 313 B1 



performed allows one to produce pairs of exponents that behave as inverses. 

In other words, consider the function f(x) = ^mod n to be the result of raising x to the power e and 
then finding the remainder after dividing by n. There may be a number d, such that g(x) = ^mod n and g- 
(f(x)) = f(g(x)) = x. If one chooses primes p and q and a suitable e, one can readily compute a 

5 corresponding d, simply as the multiplicative inverse of e modulo ((p-1) * (q-1)),such modular multiplicative 
inverses to be described. It is thought to be almost impossible to compute d from e and n without knowing 
p and q, and almost impossible to determine p and q from n. Thus, if e and n are made public, anyone can 
compute f(x), but only the creator of n can compute the inverse g(x). 

There are a variety of ways to use such a "public signature function" and its inverse "secret signature 

10 function" to make digital signatures. In general, it is not desirable to maintain that any message which 
results from applying the public signature function is a valid signed message. The reason is that anyone 
could create a number at random and claim that it was a signature on the message that results when the 
public signature function is applied. One solution to this problem is to designate some sub-set of the 
messages as "valid messages" such that, for example, only one in 10 50 messages is valid. Thus someone 

15 would have to apply the public signature function to an average of 5 * 10> 9 random messages, (which may 
not be a credible threat) before obtaining a valid message as a result. (An RSA system with a one-hundred 
digit modulus would still have 10 50 possible valid messages.) The process of "checking" a digital signature 
in such a scheme involves applying the public signature function to the digital signature to be checked, and 
determining whether the resulting number is a member of the set of valid messages. 

20 It is anticipated that a bank may wish to use digital signatures to validate various numbers that are to 
serve as electronic money. The bank will form digital signatures of valid numbers, and sell them to 
individuals by charging the individuals' accounts say one dollar for each signed number. These digitally 
signed numbers might be thought of as electronic bank "notes". An individual can check the digital 
signature on such a digitally signed note by applying the public signature function of the bank to the note ; 

25 and verifying that the result is a valid message. When the individual wishes to pay for some goods or 
services, say for example, buying something costing one dollar at a shop, the individual gives the digitally - 
signed note to the shop as payment. The shop can then check the digital signature on the note. If the result 
of the check is positive, then the shop can supply the digital signature to the bank, who can deposit one 
dollar in the shop's account, after again checking the signature on the note. The bank could, for example, 

30 also keep a list of the valid numbers which have been previously cleared, to prevent the same one from 
being used more than once. Of course, many different denominations of such digitally signed bank notes 
might actually be offered for sale by the bank, each denomination using a different pair of signature 
functions. 

The problem with such payments systems possible under the prior art is that the bank will always be 

35 able to know which account a note was withdrawn from and which account it is ultimately deposited to-and 
this poses serious problems from a personal privacy perspective. As more and more payments transactions 
become automated, and more and more data associated with transactions is captured electronically, a 
tremendous amount of data about a person's habits, affiliations, lifestyle, whereabouts etc. could be 
captured by the bank in electronic form. This places the bank in a position it would rather not be in, 

40 because it has to convince its customers that it handles this data properly, and also because of possible 
legal exposure, there will be various costs, restrictions on and interference with operating procedures and 
personnel. The customers of the bank are also placed in an undesirable position, since there may always 
be some doubt as to how such data is actually being used or might be used in the future. 

This example illustrates the need for signature systems that do not allow the signer to trace all things 

45 validated with his signature. Many other similar situations, such as, notaries, stock, bond, and other 
certificates, credentials, authorizations etc. are also anticipated. An example illustrating the need for a 
signature system having such properties is described in the aforementioned article of D. Chaum, but this 
article neither teaches how to achieve such a system nor does it anticipate cryptographic methods having 
properties in the direction of "complete unlinkability", which make it possible for providers using different 

so keys, and having interchanged communications with the signer, to get unchanged signatures. 

It is clear that it would be highly desirable when a cryptographic method would be at least in the 
direction of complete unlinkability and the object of the present invention is to provide such methods and 
apparatus. 

To obtain this object the method according to the invention is characterized in that there exists at least 
55 a third key and at least a fourth key such that: 

when the third key is substituted for the first key by the first provider party and the fourth key is substituted 
for the second key by the second provider party, 

and when the message content of the data that was communicated between the first provider party (101) 



3 



EP 0 139 313 B1 



and the signing party is instead communicated between the second provider party and the signing party, 
and when the message content of the data that was communicated between the second provider party and 
the signing party is instead communicated between the first provider party and the signing party, 
then the processing step of the first provider party still yields the first digital signature and the processing 
5 step of the second provider party still yields the second digital signature. 

The apparatus according to the invention, which makes it possible to carry out a completely unlinkable 
cryptographic method is characterized in that the key sources are able to provide at least a third key and at 
least a fourth key such that: 

when the third key is substituted for the first key by the first provider party and the fourth key is substituted 
w for the second key by the second provider party, 

and when the message content of the data that was communicated between the first provider party and the 
signing party is instead communicated between the second provider party and the signing party, 
and when the message content of the data that was communicated between the second provider party and 
signing party is instead communicated between the first provider party and the signing party, 
15 then the processing means of the first provider party still yields the first digital signature and the processing 
means of the second provider party still yields the second digital signature. 

In the following the invention and its advantages will be explained in view of preferred embodiments as 
shown in the drawing figures: 

Fig. 1 shows a combination functional and detailed block diagram of a blind signature system in 
20 accordance with the teachings of the present invention. 

Fig. 2a shows a block diagram of a single provider use in accordance with the teachings of the present 
invention. 

FIG. 2b shows a block diagram of a first two provider use in accordance with the teachings of. the 
present invention. 

25 FIG. 2c shows a block diagram of a second two provider use in accordance with the teachings of. the 
present invention. 

FIG. 3 is a detailed schematic diagram of an exemplary embodiment of a modular inverter. 
FIG. 4 is a detailed schematic diagram of an exemplary embodiment of a modular exponentiator. 
FIG. 5 is a detailed schematic diagram of an exemplary embodiment of a modular multiplier. 
30 FIG. 6 is a detailed schematic diagram of an exemplary embodiment of a modular subtractor. 
FIG. 7 is a detailed schematic diagram of an exemplary embodiment of a modular adder. 

BRIEF SUMMARY OF THE INVENTION 

35 In accordance with these and other objects of the present invention, a brief summary of an exemplary 
embodiment is presented. The concept of blind signatures may be understood by an analogy based on 
carbon paper lined envelopes. Suppose Alice supplies Bob with a first envelope and a second envelope, 
each containing a piece of carbon paper facing a blank white slip of paper. Bob signs both envelopes on 
the outside with identical signatures and returns them to Alice. Alice privately removes the paper slips from 

40 the envelopes, each slip now bearing a carbon image of Bob's signature; places the slips in a random 
order; presents them to Bob; and asks him which slip was in the first envelope. Bob can not answer with 
certainty, though he knows each slip was in an envelope he signed, because he does not know which slip 
was in which envelope. 

Turning now to FIG. 2a, one exemplary embodiment will be described in simplified form to introduce 
45 some central concepts, but such description should not be taken to limit the scope of the invention, which is 
described more fully elsewhere in the present specification. Two cryptographic transformations, "blinding" 
203 and "unblinding" 204, are shown depending on a secret cryptographic key k. A digital signature 
transformation 202 is shown, which depends of secret signing information not shown for clarity. 

The original message m (corresponding to the blank slip of paper in the analogy above) is first 
so encrypted by blinding transformation 203 (which corresponds with placing the slip in the special envelope), 
resulting in transformed message t (corresponding to the slip in the envelope). A digital signature 
responsive to the transformed message t is then developed by signing transformation 202 (corresponding 
with Bob signing the outside of the envelope), and is shown as t' (corresponding to the signed envelope). 
The unblinding transformation 204 takes f and converts it, by use of key k into a variant m' of the original 
55 message m which retains a signature property (corresponding to the signed slip removed from the envelope 
by the party who placed it there). 

This entire procedure would normally be repeated more than once, say 1 times, using a fresh key kj, 
13JSI, each time Gust as there were multiple envelopes in the analogy). Thus, a set of signed values {m'j} 



4 



EP 0 139 313 B1 

are generated (corresponding to a set of signed slips), as well as a set of transformed values {tj} 
(corresponding to a set of envelopes). An important property of such a blind signature system is that if the 
signer knows only the two unordered sets, and not the keys kj, then the signer is unable to readily 
determine the correspondence between the elements of the two sets Gust as Bob was unable to tell which 
s slip was from which envelope)— even though the signer is assured by the signature property that such a 
correspondence must exist. 

In one embodiment of the present invention, based on the RSA digital signature system as earlier 
described, the following congruences might hold: 

10 t s [m] • k** (mod n), 

t» = [m * k 8 ^ s m d • k (mod n),and 
nV b [m d * k] * k- 1 = m d (mod n), 

where n is the publicly known modulus and e and d are exemplary public and private signature exponents 
75 respectively. The square brackets show the input to the transformation whose output is shown on the right 
hand side, and thus they define the function of each of the three transformations. The signature property of 
m' might be checked by anyone with access to the public signing function based on e, simply by forming 
m ,e mod n and checking whether the result is a valid message m. 

20 GENERAL DESCRIPTION 

General descriptions of the functions of some constituent parts of the present invention will be. 
presented. 

Line 155 shows the output of blinding transformation 103 being input to signing transformation 102; line 

25 157 shows the output of signing transformation 102 being input to unblinding transformation 104; line 159 
shows the output of unblinding transformation 104 being input to signature checker 105. The method or. 
means whereby such information is transferred as shown by these lines is not essential to the present 
invention, and may be accomplished in any suitable way. For example, the output or input means may be 
brought into physical proximity with each other, or they may communicate remotely by any kind of 

30 communication network or other technique. The information may be encoded in various forms, some of 
them cryptographic, and decoded and transformed between codings on its way. Similarly the information 
may be stored and/or detained in various forms along its way. 

The term "party" is used herein to indicate an entity with control over some secret information. In some 
cases, a party might be a person who knows a secret cryptographic key. It is anticipated that a plurality of 

35 people may each know part or all of some key matter, and then they might collectively be thought of as a 
party. In other cases, a key may normally be known only to apparatus and not people, and the apparatus or 
the people able to utilize the apparatus may be regarded as parties. Different people may use the same 
apparatus each with different keys, assuming they all have some trust in the apparatus, and then they might 
be regarded as separate parties. Thus, for example, signature transformation 102 may be regarded as a 

40 step in a method or part of an apparatus, and/or it may be regarded as a party, and it may be called signer 
102 or signer party 102. 

Key source 123 is shown without inputs and with output 153. The function of key source 123 is to 
output a value normally at least partially unknown to at least the signer party 102. It is preferred that the 
output is nearly completely unknown outside the provider 101, and may not even be known to any persons 

45 but to only apparatus. The term "secret key" may be used herein to refer to information, such as the output 
of key source 123, that is normally supposed to be unknown to various parties. Many means and methods 
are known in the art for generating such keys. One approach uses unpredictable physical phenomena, such 
as noise in a semiconductor or other electronic component or radioactive decay, or timing of events 
generated by asynchronous processes, such as humans pushing buttons. Another approach uses algorith- 

50 mic transformations on other secret information. Of course these two approaches can readily be combined. 
The output of the key source is shown as input to transformations 103 and 104. The probability distribution 
of keys is obviously of interest. In the preferred embodiment, they are preferably as nearly uniformly 
distributed as practical. The output may be generated initially for one, and then retained, possibly in 
encrypted form, and/or in some protected and/or tamper indicating or tamper responding apparatus. An 

55 equivalent approach for the present invention would be re-generating the key algorithmically each time it is 
needed. 

Signature checker 105 is shown taking its input from the output of unblinding transformation 104, line 
159, and producing output 161, shown in the preferred embodiment as m. The function of checker 105 is to 



5 



EP 0 139 313 B1 

produce an indication of whether the input value has the properties of a valid signature. An implicit input is 
the public signature information, shown as e in the preferred embodiment The authenticity of this 
information forms the basis for the authenticity decision about the signature input, and thus such information 
may be shown contained within checker 105. Checker 105 serves a logical function of indicating whether or 

5 not the signature appears to have been transformed using the secret signature information corresponding to 
the public signature information; any means or method performing this function may be regarded as a 
signature checker. (Other data may also be output by the checker 105, such as parameter values included 
during formation of the signature.) 

Various signature means and methods are known or would be obvious to those skilled in the art. One 

10 method, that of choosing a subset of the domain of the signature function as valid messages, has already 
been described. Another approach might not make such a restriction, but might instead rely on information 
additional to the output of the signature function for input to the checking function. One-way functions may 
be thought of as public functions without publicly known inverses, such functions being well known in the 
art, such as the public function of an RSA system as earlier described, or those first disclosed by Purdy in 

75 "A High Security Log-in Procedure," Communications of the ACM, Vol. 17, No. 8, August 1974, p442. 
Suppose the range of a one-way function y(x) is the domain of a private signing function g(x), with public 
signature function inverse f(x). One way to use such functions to form digital signatures is to form a 
signature, s, as the secret signature function of the image of the desired message, a, under the one-way 
function, s = g(y(a)). A signature can be authenticated under such a scheme if numbers a and s are 

20 presented to the checker 105, such that y(a) = f(s). Notice that if the domain of y is larger than its range, 
then it serves to compress the matter to be signed. Also notice that if the domain of y is smaller than the 
range of g, then all or part of the number a may be encoded as the rest of the domain of g. In some cases 
a strict one-way property may not be required. 

Signing transformation 102 outputs some transformation of its input which depends on signing 

25 information at least secret from the other parties, shown as d in the preferred embodiment. Various 
exemplary signing transformations have been described above, but the function of the signing transforma- 
tion should be regarded as any transformation at least partially responsive to the information to be signed 
and to secret signing information, such that some suitable checking function can be performed meaning- 
fully. The term party, as mentioned earlier, may be used when referring to the signing transformation 102, 

30 and then it would be appropriate to say signer 102. 

Blinding transformation 103 takes a message from line 151, shown as m in the preferred embodiment, 
and a secret key from line 153. The nature of the source of m is not essential to the present invention, but 
the particular value of m resulting in an actual particular output of blinding transformation 103 received by 
signer 102 should not normally be revealed to the signer 102 by such a source, as this would allow the 

35 correspondence to be learned by the signer. The function of blinding transformation 103 is to produce 
output that does not normally reveal the actual message input to those not in possession of the secret key 
k, and to cooperate with the singing and unblinding transformations, as will be described. Thus, the blinding 
transformation may be thought of as a cryptographic transformation which hides some message by use of a 
key, with additional properties that allow it to cooperate with the other transformations. 

40 Unblinding transformation 104 takes a key from line 153 and a value from the signature transformation 
102 on life 157, and produces an output shown as line 159. The function of unblinding transformation 104 is 
to transform its input into a form which "retains a digital signature property related to original message m". 
In other words, a checker 105 should be able to return a positive result when supplied output of unblinding 
transformation 104, and possibly other appropriate information, such result indicating that a signature related 

45 to the original message m has been authenticated. 

Several possible properties of blind signature systems will be described in accordance with the 
teachings of the present invention. 

One general property of a blind signature scheme is that the blinding transformation should make it 
difficult, if not impossible, to determine the message m with certainty from the transformed message t 

so without key k. For the purposes of the present description, this property will be referred to as "hiding", and 
thus it may be said that the blinding transformation hides the message. In the preferred embodiment, as 
mentioned earlier, the blinding transformation includes multiplying modulo n by k*\ If e is non-zero and fixed 
and coprime with <j>(n), and k is chosen from the interval 0 to n-1, then, the signing function g(k) ■ k® (mod 
n) is one-to-one and onto. If m is coprime with n, then h(m) s g(k) • m (mod n) is one-to-one and onto. 

55 Thus, under the assumptions of proper e, and m coprime with n, a particular value of t could correspond 
with any value of m, with unique suitable k. In a sense then, it is believed that, the security of the hiding in 
the blinding transformation of the preferred embodiment is comparable to that of the so called one-time 
pad, when GCD(m.n) = GCD(e,4>(n)) = 1, and k chosen uniformly from the interval 0 to n-1. Of course, if e 



6 



EP 0 139 313 B1 



is not coprime with <£(n) then certain messages may have no signature; and if it is likely that m is not 
coprime with n, then it is likely that someone can guess a factor of n, or providers could use Euclid's 
algorithm to reject any non-coprime m. 

Another property of a blind signature scheme which may be important in some anticipated applications 
5 will be called "conservation of signatures". This property requires that it not usually be easy for someone to 
construct a set of transformed messages such that after each member of the set is signed, more 
authenticatable signatures can be derived than original members of the set were signed. The preferred 
embodiment, as mentioned earlier and to be described in detail, is believed to have this property in 
practice, when suitable signature authentication techniques are used, such as when a strong one-way 

io function of suitably large range and domain is used in the signature authentication scheme, as described 
earlier. One possible explanation for this property holding is that a set of I signed things can be thought of 
as giving at most I equations, and these can be solved for at most I unknowns. 

Yet another property of a blind signature system will be called the inability to "link", which may be 
understood as follows. Suppose there are I different messages, nrij for 1£j£l. Each message is the input to a 

75 blinding transformation, using key kj, and the result is I blinded messages tj. (It is not essential whether each 
message is blinded by a different party, all messages are blinded by the same party, or various parties 
each blind some subset of the messages.) Suppose further that the signer applys the signing transformation 
to each blinded message tj, and returns each transformed messages t'j to its provider. Further suppose that 
each provider applies the appropriate unblinding transformation to each t'j, yielding a collection of I unique 

20 messages m'j, each bearing a signature property. Suppose still further that the signer receives an 
unordered set whose I elements are exactly the m'j, which may be denoted {m'j} for 1£i£l. Finally, assume 
that the signer knows only the I things he has signed, tj, and the set {m'j}, and no outside information about 
the provider(s), their keys, or information flows from or to the provider(s). The signer can "link" the things 
received for signing tj with the things known to have the signature property {m'j}, if and only if he can 

25 determine with certainty for every element of {m'j}, the unique tj which corresponds with the same message 
m, under the assumptions above. If nothing at all can be known about the correspondence, under the 
assumptions above, not even associating different probabilities with different correspondences, then the 
blind signature system may be said to be "completely unlinkable." The term "blinded" may be used to 
indicate that it is not usually easy to completely link. For example, one m' and one t may be said to be 

30 blinded from each other without k, if it can not usually easily be determined without k that the two 
correspond. 

In the preferred embodiment, as mentioned earlier and to be described in detail, it is believed to be 
possible to come close to, or in some cases under certain assumptions even achieve, complete unlin- 
kability. A possible explanation for this might be that for each possible way to put the I items into 

35 correspondence, there could exist a unique set of values for the keys kj, such that this would be the true 
correspondence, but assuming each k is chosen so that all values are equally likely, all possible 
correspondences are equally likely. (Of course the question of actual generation of random numbers from a 
perfectly uniform distribution is beyond the scope of the present description.) It is believed that one 
possible explanation of this may be seen by considering the position of the signer as follows. He has two 

40 sets of values: {tj}, and {m'j}. If he assumes that t v corresponds with m' u , then he can determine the unique 
k which would have been used to form t v . This may be accomplished by solving the congruence t v • k® » 
m'® (mod n), for k v . To do this, one may first compute the multiplicative inverse of m u modulo n, and 
assuming that m and n are coprime, as mentioned earlier, there is a unique such value. Then the unique 
product of this value and t v is formed, modulo n. Finally, the result is raised to the d power modulo n, 

45 producing a unique result, assuming that e is coprime with <£(n). Thus, under the assumptions, for every 
possible way the two sets could be linked, there exists unique choices for the keys kj that would make this 
the true linking, and, as mentioned above, since the ks are by assumption chosen from a uniform 
distribution, all such choices for the keys kj are equally likely, and so all possible linkings are equally likely. 
This concept is further illustrated by numerical examples as will be presented in the detailed description of 

so the preferred embodiment. 

Referring now to FIG. 2, several exemplary modes of use in accordance with the teachings of the 
present invention will be presented. 

FIG. 2a shows a mode of use with only a single cryptographic blinding and corresponding cryp- 
tographic unblinding transformation, as mentioned earlier. The message m is transformed by cryptographic 

55 blinding transformation 203 into transformed message t, which is input to signature transformation 202, 
which transformation depends on secret signing information, not shown for clarity. The output of the signing 
transformation, t\ is input to the unblinding transformation 204, which transformation depends on key k, and 
which transformation produces output m f , bearing a signature property related to the m. (Notice that 

7 



EP 0 139 313 B1 



blinding transformation 203, signature transformation 202 and unblinding transformation 204 of FIG. 2a 
correspond with blinding transformation 103, signature transformation 102 and unblinding transformation 104 
of FIG. 1, respectively.) 

Referring now to FIG. 2b, a first mode of use is shown with two cryptographic blinding transformations, 
5 two cryptographic unblinding transformations, and two separate keys for these transformations. The original 
message m is transformed by blinding transformation 221, which transformation depends on key ki , 
producing output shown as ti, and then supplied as input to blinding transformation 222, which transforma- 
tion depends on key k2, and whose output is shown as ti, 2 . Signing transformation 223 takes this multiply 
transformed message as input and produces, in a way depending on secret signing information, not shown 
10 for clarity, output shown as t\ 2 - This output is shown as input to unblinding transformation 224, which 
depends on key k 2 , and produces output shown as t'i . This output is input to unblinding transformation 225, 
which depends on key ki , and which produces output shown as m' retaining a digital signature property 
related to m. 

In one use of this mode based on the preferred embodiment, described earlier and to be described in 
15 detail, the following congruences might hold: 

= m • k® (mod n), 

20 

25 " " 1<Z 



t« 1 = t' r 2 • k* 1 = m a • k 1 (mod n), 

30 

m' f. t f 1 . k* 1 = m d (mod n), 

and the checking function can be based on the congruence m' e s m (mod n). Thus, the blinding 
35 transformation 221 and 225 as well as the unblinding transformation 222 and 224 are each nearly the same 
as in the single key mode of the preferred embodiment to be described in detail. 

If only a single party with access to both keys ki and k 2 uses this mode, then it may be equivalent to a 
single key use, as in the preferred embodiment. The present mode may have additional benefits, 
advantages and features, however, in some anticipated applications. Consider the case where one party 
40 holds ki and a second holds k 2 . Both parties become mutually dependent once the signature transformation 
has been made: the first party requires the cooperation of the second to transform t'i i2 into m'; similarly, the 
second party requires the cooperation of the first to transform t'i into nV. In the embodiment described 
above, the second party can check that the signer 223 has performed the proper function, by checking that 

45 

t 1,2 ^ t 1,2 

(mod n). The first party is in a position to check the signature function performed by signer 223 by checking 
50 that ti a t'f (mod n), but this function is also available to the single provider party in a single non-signer 
party mode of use, but it is anticipated that the signature would normally be checked by the single party by 
checking that m s m ,e (mod n). Notice also that the communication between the second party and signer 
223 in the present mode is obscured from the first party. For example, the second party may be second 
party to several first parties, and they may not know which of the communications with signer 223 include 
55 their particular values of m. Similarly, the second party may obscure from the signer which of the 
communications with first party(s) correspond to particular signature transformations made by signer 223. In 
some embodiments, such as the preferred embodiment, it may even be the case that cooperation between 
the first party and signer 223 to determine the correspondence between communications known to one and 

8 



EP0 139 313 B1 



communications known to the other can be thwarted by the second party. 

Of course the present discussion can readily be generalized to a use based on a plurality of provider 
parties-not just two or fewer non-signer parties. In a multiple provider party use based on the preferred 
embodiment: each party performs transformations just as if they were in a single or two non-signer party 
5 use as described herein; parties may readily check that the signature property has been properly applied 
and transferred by the signer and those parties on the signer's side; and any intermediary party is able to 
thwart attempted linking even by cooperation of all other parties. 

Referring now to FIG. 2c, a second mode of use is shown with two cryptographic blinding transforma- 
tions, two cryptographic unblinding transformations, and two keys for these transformations. The original 
10 message m is transformed by blinding transformation 231 , which transformation depends on key ki , 
producing output shown as ti , and then supplied as input to blinding transformation 232, which transforma- 
tion depends on key k2, and whose output is shown as t 1#2 . Signing transformation 233 takes this multiply 
transformed message as input and produces, in a way depending on secret signing information, not shown 
for clarity, output shown as t\ 2 . This output is shown as input to unblinding transformation 234, which 
75 depends on key ki , and produces output shown as t* 2 . This output is input to unblinding transformation 235, 
which depends on key k 2 , and which produces output shown as m\ retaining a digital signature property. 

In one embodiment of this mode of use based on the preferred embodiment, described earlier and to 
be described in detail, the following congruences might hold: 



20 



25 



30 



35 



t l = m * k i (mod n) , 



; 1,2 = t i • *| (mod n), 



f 2 = t" 2 • k~ 1 = m d • k 2 (mod n), 



id 1 = t' 2 • k~ 1 = m d (mod n) , 



and the checking function can be based on the congruence m ,e ■ m (mod n). Thus, the blinding 

40 transformation 231 and 235 as well as the unblinding transformation 232 and 234 are each nearly the same 
as in the single key mode of of the preferred embodiment to be described in detail. 

Again, little advantage may result if one party uses two separate keys. The present mode may have 
additional benefits, advantages and features, however in some anticipated applications. Consider the case 
where one party holds ki and a second holds k 2 , as before. In the earlier described first two provider mode 

45 of use, the second party could cheat the first party by simply discarding ti and supplying some t2 of the 
second parties* choice to signer 223. Then the second party could unblind the resulting f 2 received from 
signer 223, and obtain the signature property on something chosen only by the second party, leaving the 
first party without the expected message bearing the signature property. In the present mode, however, if 
the signer only signs ti, 2 when supplied by the second party, and returns the t' 1(2 only to the first party, then 

so neither party can cheat the other. 

Of course both modes shown with two non-signer parties can readily be generalized in combination: a 
message travels through one permutation of the parties on the way to the signer and through a possibly 
different permutation on the way back. The no linking property is believed to still hold for any single 
intermediary party; the no cheating property holds for a party if no cheating party is between the party and 

55 the signer in at least one direction. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENT 



9 



EP 0 139 313 B1 



Turning now to FIG. 1, a detailed description of a preferred embodiment of the present invention is 
presented. One party to the system will be referred to as the "provider", shown as contained in the dashed 
box 101. Another distinguished party in the system is the "signer", shown as contained within dashed box 
102. A key source for developing a secret key preferably confidential to the provider, is shown contained 
5 within the provider 101. A secret signing key, d, is shown contained within signer 102. The provider also 
contains the ability to perform two transformations. A "blinding" transformation 103 and an "unblinding" 
transformation 104. A checking function 105 is also shown. 

The message m appear on line 151 as one multiplicand input to modular multiplier 121, such multipliers 
to be described. The other multiplicand input to modular multiplier 121 is from line 152, which is the output 
w of modular exponentiator 122, such modular exponentiators to be described. The base input to exponen- 
tial 122 appears on line 153, and is the key output from key source 123, such key sources described 
earlier. The exponent, or as used equivalently herein, the powerer input to exponentiator 122 is from line 

154, and is the public signature exponent shown as e. The product output of multiplier 121 appears on line 

155, which line is the base input to modular exponentiator 124. The exponent to exponentiator 124 is the 
75 secret signing key shown as d, which appears on line 156. The output of the exponentiator 124, in this 

embodiment, is the digital signature of its input base from line 155, and appears on line 157, which is input 
to modular multiplier 125. The other multiplicand input to multiplier 125 appears on line 158, which is the 
output of modular inverter 126, such modular inverters to be described. The modular inverter takes its input 
from the key source 123 mentioned earlier as line 153. The product output of modular multiplier 125 

20 appears on line 159, which is base input to modular exponentiator 127. The power input to exponentiator 
127 is shown as e on line 160. The output of exponentiator 127 is shown as m on line 161. 

The operation of the preferred embodiment shown in FIG. 1 will now be described in detail. A message 
m is obtained on line 151 by the provider. A key appears on line 153, denoted as k, preferably secret to the 
provider, is developed by key source 123, and is preferably chosen from the interval 0 to n-1 with each 

25 value as nearly equally likely as practical. The blinding transformation 103 takes these two inputs, lines 151 
and 153, and forms a blinded message denoted as t on its output line 155, such that t = m * k 6 (mod n). 
These functions of the blinding transformation 103 are accomplished as follows. Modular exponentiator 122 
takes the key k as its base input from line 153 and takes the public signature key e from line 154, and 
outputs on line 152 a value congruent modulo n to k e . Modular multiplier 121 takes this value from line 152 

30 and forms the modulo n product with the input m from line 151, and the product output appears on line 155. 
Now the signer 102 may obtain the blinded message t from line 155, and will normally output a digital 
signature of t on line 157, the output denoted as t\ such that t' = (mod n), where d is the secret signing 
exponent of the signer mentioned earlier. These functions of the signer 102 are accomplished as follows. 
Modular exponentiator 124 takes its base input from line 155, takes its power input from line 156, and its 

35 output appears on line 157. 

Now the provider may perform the unblinding transformation, shown as 104. The output of the signer, t\ 
and the secret key k are inputs to this function and it produces, in this embodiment, a digital signature on 
m, denoted m\ such that m* = m d (mod n). This function of the unblinding transformation is performed as 
follows. The multiplicative inverse of the secret key k is formed by the modular inverter 126. Then the 

40 product modulo n of the multiplicative inverse, shown as k~\ and the signed blinded message t' from line 
157 is formed by modular multiplier 125, and its output appears on line 159. 

At some latter time, one or more parlies may wish to check or authenticate the digital signature m' on 
the original message m. This function may be performed by checking that m = m ,e , and that m is a valid 
message, as described earlier. This function can be performed by the modular exponentiator 127, which 

45 takes its base input from line 159 and its power from line 160, and whose output appears on line 161. A 
specific example of further checking for valid messages or the like is not shown for clarity, but such 
techniques would be obvious from the earlier description, and are well known to those of ordinary skill in the 
art. For example, the binary representation of the value on line 161 could be split into two halves, and the 
number considered valid if the result of comparing the two halves indicates they are identical. 

50 The following table illustrates the operation of one use of the preferred embodiment by associating the 
various line numbers in the first row and their symbolic names in the second, with the exemplary values in 
the remaining nine data rows. The table uses an RSA system based on primes 29 and 31 chosen by the 
signer. The modulus made public by the signer would then be n = 29 " 31 = 899. The signer is assumed to 
have chosen e to be 17, (possibly after checking that GCD(17,<£(n)) = 1) and computed its multiplicative 

55 inverse modulo <J>(n)= (29-1) • (31-1) = 840, and with the result d = 593. Of course such a system is based 
on numbers far too small to be secure. (Finding k~ 1 for the value of k in the first data row is the subject of 
an example of the operation of the modular inverter to be described.) Notice that the first and second data 
rows have the same t values as the penultimate and last data rows respectively, but that their messages m 



10 



EPO 139 313 B1 

are interchanged with different values of k, as mentioned earlier. 



w 



75 



151 


153 


152 


155 


157 


158 


159 


m 


k 


k 6 


t 


f 


k" 1 


m* 


628 


255 


886 


826 


19 


691 


543 


254 


685 


84 


659 


698 


21 


274 


40 


393 


210 


309 


340 


716 


710 


153 


440 


212 


72 


541 


615 


85 


755 


748 


16 


393 


110 


256 


291 


623 


111 


107 


135 


601 


81 


135 


724 


308 


461 


235 


69 


108 


260 


254 


548 


520 


826 


19 


251 


274 


628 


94 


807 


659 


698 


373 


543 



Referring now to FIG. 3, a detailed description of an exemplary embodiment of a modular multiplicative 
inverter, herein called a modular inverter, is presented. The number to be inverted appears on line 351 , and 
is initially loaded into register 301. The output of register 301 appears on line 352, which is input to register 

20 302, which takes its initial value, the modulus n, from line 353, and has output on line 354. Ordinary 
arithmetic divider 303, takes its dividend from line 354 and its divisor from line 352, its quotient output 
appears on line 355 and its remainder output appears on line 356. Such binary arithmetic dividers for 
unsigned integers are well known in the art, for example see K. Hwang, "Computer Arithmetic: principles, 
architecture, and design" John Wiley, 1979, Chapter 7. Line 356 is input to register 301, described earlier. 

25 Line 355 is input to modular multiplier 304, such multipliers to be described. The output of modular 
multiplier 304 is line 357, which is subtrahend input to modular subtracter 305, such subtractors to be 
described. The difference output of modular subtractor 305 is line 358, which is input to register 306, which 
takes its initial value of 1 from line 359 and whose output appears on line 360. Modular multiplier 304 
already described takes one of its multiplicand inputs from line 360. Register 307 takes input from line 360, 

30 takes its initial value of 0 from line 361, and its output appears on line 362. Line 362 is minuend input for 
modular subtractor 305 already described, and is the output of the modular inverter. 

A detailed description of the operation of the modular inverter of FIG. 3 is now presented. The modular 
inverter takes an input from line 351 whose value is between 0 and n-1, and produces on the output line 
362 a value between 0 and n-1 which is congruent to the multiplicative inverse modulo n of the value input. 

35 The principle of operation is based on a. variation of Euclid's algorithm, and is well known in the art. See 
Knuth, D.E., "The Art of Computer Programming: Volume 2/ Seminumerical Algorithms," Addison-Wesley, 
1969, Euclid's algorithm, page 297, exercise 4.5.2 #15 on page 315, and answer to exercise 4.5.2 #15 on 
page 523. Initially register 302 contains n, register 301 contains the input from line 351, register 306 
contains 1, and register 307 contains 0. The operation proceeds synchronously by clock pulses sufficiently 

40 spaced to allow all lines to settle between pulses. Clock pulses occur until the first time that the contents of 
register 301 are 0. The clock and associated lines, as well zero detector for register 301, are not shown for 
clarity, but would be obvious to those skilled in the art from the present description. Before the first clock 
pulse and after each clock pulse, divider 303 divides the contents of register 302 by the contents of register 
301 and supplies the quotient to modular multiplier 304 and the remainder to the input to register 301 . Once 

45 the quotient value settles, modular multiplier 304 forms the modulo n product of the quotient and the 
contents of register 306, and supplies the product as the minuend input to modular subtractor 305. Once 
the product value settles, modular subtractor 305 subtracts modulo n the product from the contents of 
register 307 and supplies the difference to an input of register 306. With the rising edge of each clock 
pulse, register 302 latches in new contents from line 352, and register 307 latches in new contents from line 

50 360. During the falling edge of each clock pulse, register 301 latches in new contents from line 356, and 
register 306 latches in new contents from line 358. The duration of each clock pulse is short enough that 
the output of modular subtractor 305 and the remainder output 356 of divider 303 do not change between 
the rising and falling edge of a clock pulse. 

The following table illustrates the operation of the modular inverter by showing the contents of the 

55 various registers at the end of each cycle. Cycles #0 shows the initial state; and as can be seen from the 
first row, the number whose inverse is sought is 255, initially in register 301; and the modulus n is 899, 
initially in register 302. As can be seen from the row of cycle #6, the result in register 307 is 691. 



11 



EP 0 139 313 B1 



5 





register number 




cycle 


301 


302 


306 


307 


15 


#0 


255 


899 


1 


0 




#1 


134 


255 


896 


1 




#2 


121 


134 


4 


896 




#3 


13 


121 


892 


4 




#4 


4 


13 


67 


892 


20 


#5 


1 


4 


691 


67 




#6 


0 


1 


0 


691 



Turning now to FIG. 4, a detailed description of an exemplary embodiment of a modular exponentiator 
is presented for completeness. The base input appears on line 451, which is an initial input to register 401. 
The output of register 401 appears on line 452, which is both multiplicand inputs to modular multiplier 402, 
to be described. The output of modular multiplier 402, line 453, is an data input to register 401 . The output 
of register 401, line 452, is one multiplicand input to modular multiplier 403. The product output of modular 
multiplier 403 appears on line 454 and is a data input for register 404. The initial value for register 404 is 1 
and is shown on line 455. The contents of register 404 appear on line 456, which is input to modular 
multiplier 403 and also output of the modular exponentiator. The exponent input appears on line 457 and is 
initial data input for ordinary right shifting binary shift register 405. The rightmost bit of shift register 405 
appears as its output on line 458, which line enables the latching function of register 404, to be described. 

A detailed description of the operation of the exemplary modular exponentiator of FIG. 4 is now 
presented. The modular exponentiator takes two inputs, a base from line 451 (represented as a value 
between 0 and n-1) and a power from line 457 (a positive binary integer), and produces on its output line 
456 a value between 0 and n-1 that is congruent modulo n to the base raised to the power. The principle of 
operation is to form the product of the base raised to all powers of two that correspond with set bits in the 
exponent. (For example, notice that 21 = 2° + 2 2 + 2*, and 

5 21 = 5 • 5 2 * • 5 2 ** = ^76837158203125.) 



Initially, the base and exponent are in registers 401 and 405 respectively, and register 404 is reset to one. 
The operation proceeds in I cycles, where I is the number of bits used to represent numbers between 0 and 
n-1 . At the end of each of the I cycles a clock line (not shown for clarity) is raised briefly from the zero state 
to the one state and then returned to the zero state. During the first cycle, the contents of register 401 is 
squared (modulo n) by modular multiplier 402 and appears on line 453, and the modulo n product of the 
content of register 401 and register 404 is developed by modular multiplier 403 and appears on line 454. At 
the end of the first cycle, on the rising edge of the first clock pulse, the value on line 453 is latched into 
register 401 , the value on line 454 is latched into register 404 only when the enabling value on line 458 is a 
one bit, and on the falling edge of the clock the contents of register 405 is shifted one bit to the right. 
During each of the 1-1 subsequent cycles, the new products settle on lines 453 and 454, and at the end of 
the cycle, with the rising edge of the clock, the value on line 453 is latched into register 401 , and the value 
on line 454 is latched into register 404 if and only if line 458 has the enabling value of a one bit, and with 
the falling edge of the clock, the contents of register 405 is shifted one bit to the right. Thus, after the fall of 
the clock pulse I, the last clock pulse, all the original bits of register 405 have been shifted out, register 401 
contains a number congruent modulo n to the value on line 451 squared I times, and the content of register 
404 is the desired value and is on the output line 456 of the modular exponentiator. 

Referring now to FIG. 5, a detailed description of an exemplary embodiment of a modular multiplier is 
presented for completeness. One multiplicand input appears on line 551, which is an input to register 501. 
The output of register 501 appears on line 552, which is both addend inputs to modular adder 502, to be 
described described. The output of modular adder 502, line 553, is an input to register 501. The output of 
register 501, line 552, is one addend input to modular adder 503. The sum output by modular adder 503 
appears on line 554 and is a data input for register 504. The initial value for register 504 is 0 and is shown 
on line 555. The contents of register 504 appear on line 556, which is input to modular adder 503 and also 
output of the modular multiplier. The second multiplicand input appears on line 557 and is data input for 
ordinary right shifting binary shift register 505. The rightmost bit of shift register 505 appears as its output 
on line 558, which line enables the latching function of register 504, to be described. 



12 



EP 0 139 313 B1 



A detailed description of the operation of the exemplary modular multiplier of FIG. 5 is now presented. 
The modular multiplier takes two multiplicands, one from each of lines 551 and 557, each represented as a 
value between 0 and n-1, and produces on its output line 503 a value between 0 and n-1 that is congruent 
modulo n to the product of the multiplicands. The principle of operation is to form the sum of one 
5 multiplicand multiplied by all powers of two that correspond with set bits in the other multiplicand. (Notice, 
for example, that 21 = 2° + 2 2 + 2*, and 

13 • 21 = 13 • 2° + 13 * 2 2 + 13 * 2* = 273.) Initially, the multiplicands are in registers 501 and 505, and 
register 504 is reset to zero. The operation proceeds in I cycles, where I is the number of bits used to 
represent numbers between 0 and n-1. At the end of each of the I cycles a clock line (not shown for clarity) 

10 is raised briefly from the zero state to the one state and then returned to the zero state. During the first 
cycle, the contents of register 501 is doubled (modulo n) by modular adder 502 and appear on line 553, 
and the modulo n sum of the content of register 501 and register 504 is developed by modular adder 503 
and appears on line 554. At the end of the first cycle, on the rising edge of the first clock pulse, the value 
on line 553 is latched into register 501, the value on line 554 is latched into register 504 only when the 

75 enabling value on line 558 is a one bit, and on the falling edge of the clock the contents of register 505 is 
shifted one bit to the right. During each of the 1-1 subsequent cycles, the new sums settle on lines 553 and 
554, and at the end of the cycle, with the rising edge of the clock, the value on line 553 is latched into 
register 501, and the value on line 554 is latched into register 504 if and only if line 558 has the enabling 
value of a one bit, and with the falling edge of the clock, the contents of register 505 is shifted one bit to the 

20 right. Thus, after the fall of the Ith (final) clock pulse, all the original bits of register 505 have been shifted 
out, register 501 contains a number congruent modulo n to the value on line 551 doubled I times, and the 
content of register 504 is the desired value and is on the output line 556 of the modular multiplier. 

Referring now to FIG. 6, a detailed description of an exemplary embodiment of a modular subtractor is 
presented for completeness. The subtrahend to the modular subtractor is on line 651 which is the 

25 subtrahend to ordinary arithmetic subtractor 601, such ordinary arithmetic binary subtractors with positive 
integer inputs being well known in the art. The minuend input to subtractor 601 is on line 652 and is the 
modulus n. The result of the ordinary subtractor 601 appears on line 653. Modular adder 602, to be 
described, takes the difference from line 653 and the minuend for the modular subtractor from line 654, and 
produces the modulo n sum as its output on line 655. 

30 The detailed operation of the modular subtractor of FIG. 6 is now described. Its inputs are numbers 
between 0 and n-1 and it produces a number between 0 and n-1 which is congruent to the difference of the ' 
input numbers modulo n. A number congruent to the additive inverse modulo n of the subtrahend from line 
651 is developed by subtractor 601, by subtracting from n, and transmitted by line 653 to modular adder 
655, and then added modulo n to the minuend on line 654, producing the result on line 655. 

35 Referring now to FIG. 7, a detailed description of an exemplary embodiment of a modular adder is 
presented for completeness. The two numbers to be added are supplied on lines 751 and 752, which are 
the summand inputs to ordinary binary adder 701, such ordinary binary arithmetic adders being well known 
in the art. The output of adder 701 is supplied by line 753 to the subtrahend input to ordinary binary 
subtractor 702. The minuend supplied subtractor 702 on line 754 is the modulus n for the modular addition. 

40 The result of the ordinary subtraction by subtractor 702 appears on line 755. Ordinary binary comparator 
703, such comparators being well known in the art, takes one comparend input from line 753 and the other 
comparend from line 756, which is the modulus n, and develops a single output bit indicating the result of 
the comparison, which output appears on line 757. Selector 704 takes its two data inputs from lines 755 and 
753, and its control input from line 757, has output on line 758, the output of the modular adder, and 

45 outputs data from line 753 if comparator output 757 indicates that data value on line 753 is less than the 
data value on line 756, and outputs data from line 755 otherwise. 

The operation of the exemplary modular adder of FIG. 7 will now be described in detail. The modular 
adder takes two numbers between 0 and n, not both n, and produces as output a third numbers between 0 
and n-1 which is congruent to the sum of the inputs modulo n. Two numbers to be added modulo n appear 

so on lines 751 and 752 and are added by ordinary arithmetic producing a sum on line 753. The sum is 
subtracted from n by subtractor 702 with the result on line 755. The sum is compared with n by comparator 
703, with the result on line 757. If the comparison indicates that the sum is less than n then the sum is 
between 0 and n-1 and is output on line 758; otherwise the sum is at most n too large, and the difference of 
the sum and n from line 755 is output on line 758. 

55 

Claims 

1. A digital signature cryptographic method for at least a first provider party (101) and a second provider 



13 



EP0 139 313 B1 



party to develop digital signatures checkable as corresponding to a public key (154) of a signing party 
(1 02), the method comprising the steps of: 

communicating data (155; 157) between the first provider party (101) and the signing party (102) where 
data (155) sent by the first provider party is responsive to at least a first key (153) of the first provider 
5 party and data (157) sent by the signing party is responsive to at least the private key (156) of the 

signing party which is related to the public key (154) of the signing party; 

communicating data between the second provider party and the signing party (102) where data sent by 
the second provider party is responsive to at least a second key of the second provider party and data 
sent by the signing party is responsive to at least the private key (156) of the signing party which is 
w related to the public key (154) of the signing party; processing responsive to the first key (153) by the 
first provider party (101) of data (157) received in the communication to produce a first digital signature 
(159) checkable as related to the public key (154) of the signing party (102); 

processing responsive to the second key by the second provider party of data received in the 
communication to produce a second digital signature checkable as corresponding to the public key 
75 (154) of the signing party (102); 

the foregoing steps characterized in that there exists at least a third key and at least a fourth key such 
that: 

when the third key is substituted for the first key (153) by the first provider party (101) and the fourth 
key is substituted for the second key by the second provider party, and when the message content of 
20 the data (155; 157) that was communicated between the first provider party (101) and the signing party 
(102) is instead communicated between the second provider party and the signing party, 
and when the message content of the data that was communicated between the second provider party 
and the signing party (102) is instead communicated between the first provider party (101) and the 
signing party, 

25 then the processing step of the first provider party (101) still yields the first digital signature (159) and 

the processing step of the second provider party still yields the second digital signature. 

2. A method according to claim 1 characterized in that there exists a probability distribution for 
independent choice of the first key and the second key so that any resulting signature is substantially 

30 equally likely to have resulted from processing responsive to the data messages of the first commu- 
nication as from the data messages of the second communication. 

3. A method according to claim 2 characterized in that the first and second keys are chosen substantially 
independently and substantially according to the distribution. 

35 

4. A method according to any of the previous claims characterized in that algorithmic transformations are 
used at least in part as a source for the first and second keys. 

5. A method according to any of the previous claims characterized in that unpredictable physical 
40 phenomena are used at least in part as a source for the first and second keys. 

6. A method according to any of the previous claims characterized in that a provider party chooses the 
message upon which the digital signature is produced. 

45 7. A method according to any of the previous claims characterized in that more than two provider parties 
each develop a digital signature. 

8. A method according to claim 6 characterized by substantially complete unlinkability of a set of digital 
signatures to the corresponding set of messages communicated with the supplier parties. 

50 

9. A method according to any of the previous claims characterized in that at least one provider party 
develops plural digital signatures. 

10. A method according to any of the previous claims, characterized in that a provider party (101) checks a 
55 digital signature (159) developed. 

11. A method according to any of the previous claims characterized in that a digital signature developed by 
a provider party (101) is checked by another party (105). 



14 



EP0 139 313 B1 



12. A method according to any of the previous claims characterized in that a set of provider parties each 
form a product with an element derived from a respective key in forming the respective data message 
sent to the signing party (102), and that the processing steps by provider parties includes forming a 
product of the respective data received with a multiplicative inverse of a signed form of the respective 
5 key, in a finite structure where such multiplication and multiplicative inverses are defined. 

1a A method according to any of the previous claims characterized in that: 

a first message signal t (155) is formed by transforming first value m using a first key k (153) according 
to f ■ mk 9 (mod n), where e is a public signing key and n is a public signature modulus; 
w a second message signal f (157) is formed by transforming the first message signal t (155) using a 
secret signing key d according to fa (mod n); 

the second message signal t' is processed using the first key k to produce a digital signature m' 
described by m' = rrf* (mod n); and 

the digital signature m' is checked by verifying that m' e = m (mod n). 

15 

14. A method according to any of the previous claims characterized in that it is used in providing 
untraceability of value transfers. 

15. A method according to claim 14 characterized in that a digital signature, that is received in exchange 
20 for value, is checked. 

16. A method according to claim 15 characterized in that a checking party maintains a record depending 
on previously checked signatures to detect signatures that are presented more than once. 

25 17. Cryptographic apparatus for at least a first provider party (101) and a second provider party to develop 
digital signatures (159) checkable as corresponding to a public key (154) of a signing party (102), the 
aparatus comprising: means for communicating data (155; 157) between the first provider party (101) 
and the signing party (102) including means for developing data sent by the first provider party 
responsive to at least a first key (153) of the first provider party, and means for developing data (157) 

30 sent by the signing party responsive to at least the private key (156) of the signing party related to the 
public key of the signing party (154); 

means for communicating data between the second provider party and the signing party (102) including 
means for developing data sent by the second provider party responsive to at least a second key of the 
second provider party and means for developing data sent by the signing party responsive to at least 
35 the private key (156) of the signing party related to the public key (154) of the signing party; 

means for processing data (157) received by the first provider party (101) responsive to the first key 
(153) to produce a first digital signature (159) checkable as related to the public key (154) of the 
signing party (102); and 

means for processing data received by the second provider party responsive to the second key to 
40 produce a second digital signature checkable as corresponding to the public key (154) of the signing 
party (102); 

characterized in that the key sources are able to provide at least a third key and at least a fourth key 
such that: 

when the third key is substituted for the first key (153) by the first provider party (101) and the fourth 
45 key is substituted for the second key by the second provider party, and when the message content of 

the data (155; 157) that was communicated between the first provider party (101) and the signing party 
(102) is instead communicated between the second provider party and the signing party, 
and when the message content of the data that was communicated between the second provider party 
and signing party (102) is instead communicated between the first provider party (101) and the signing 
50 party, 

then the processing means of the first provider party (101) still yields the first digital signature (159) 
and the processing means of the second provider party still yields the second digital signature. 

18. An apparatus according to claim 17 characterized in that means are provided for a set of provider 
55 parties each to form a product with an element derived from a respective key in forming data 
messages sent to the signing party (102), and that the processing means of each provider partiy 
includes means for forming a product of data received with a multiplicative inverse of a signed form of 
the respective key, in a finite structure where such multiplication and multiplicative inverses are defined. 



15 



EP 0 139 313 B1 



19. An apparatus according to claim 17 or 18 characterized in that means are provided to use algorithmic 
transformations at least in part as a source for the first and second keys. 

20. An apparatus according to any of the claims 17-19 characterized in that means are provided to use 
5 unpredictable physical phenomena at least in part as a source for the first and second keys. 

21. An apparatus according to any of the claims 17-20 characterized in that at a provider party means are 
provided to choose the message upon which the digital signature is produced. 

w 22. An apparatus according to any of the claims 17-21 characterized in that at a provider party (101) means 
are provided to check a digital signature (159) developed. 

23. An apparatus according to any of the claims 17-22 characterized in that a set of provider parties each 
transform a respective first message signal by at least forming a product with an element derived from 
75 a corresponding key, and that the means for processing resulting data messages by provider parties 

include means for forming a product of data received with a multiplicative inverse of a signed form of 
the corresponding key, in a finite structure where such multiplication and multiplicative inverses are 
defined. 

20 24. An apparatus according to any of the claims 17-23 characterized in that: 

means are provided to form a first information signal t (155) by transforming first data in using a first 
key k (153) according to t ■ mk° (mod n), where e is a public signing key and n is a public signature 
modulus; 

means are provided to form a second information signal f (157) by transforming the first information 
25 signal t (155) using a secret signing key d according to V = & (mod n); 

means are provided to process the second information signal f using the first key k to produce a 
digital signature m' described by m' = m d (mod n)\ and 

means are provided to check the digital signature m' by verifying that m' e ~ m (mod n). 

30 25. An apparatus according to any of the claims 17-24 characterized in that it is used in providing 
untraceability of value transfers. 

26. An apparatus according to claim 25 characterized in that means are provided for checking a digital 
signature received in exchange for value. 

35 

27. An apparatus according to claim 26 characterized in that at a checking party means are provided to 
maintain a record depending on previously checked signatures to detect signatures that are presented 
more than once. 

40 Revendications 

1. Un procede de chiffrage de signature numerique pour au moins une premiere entite realisatrice (101) et 
une deuxieme entite realisatrice pour developper des signatures numeriques verifiables comme 
correspondant a une cle publique (104) d'une entite signataire (102), le procede comprenant les etapes 
45 consistant a : 

communiquer, entre la premiere entite realisatrice (101) et I'entite signataire (102), une donnee 
(155, 157), ou la donnee (155) envoyee par la premiere entite realisatrice est sensible a au moins a 
une premiere cle (153) de la premiere entite realisatrice et la donnee (157) envoyee par I'entite 
signataire est sensible au moins a la cle privee (156) de I'entite signataire qui est liee a la cle publique 

so (154) de I'entite signataire; 

communiquer entre la deuxieme entite realisatrice et I'entite signataire (102) une donnee dans 
laquelle la donnee envoyee par la deuxieme entite realisatrice est sensible au moins a une deuxieme 
cle de la deuxieme entite realisatrice et od la donnee envoyee par I'entite signataire est sensible au 
moins a la cle* privde (156) de I'entite* signataire qui est liee a la cle* publique (154) de I'entite* 

55 signataire; 

faire traiter par la premiere entite realisatrice (101), d'une maniere sensible a la premiere cle (153), 
la donnee (157) regue dans la communication pour produire une premiere signature numerique (159) 
verifiable en tant que liee a la cle publique (154) de I'entite signataire; 



16 



EP 0 139 313 B1 



faire traiter par la deuxieme entite realisatrice, d'une maniere sensible a la deuxieme cle, la donnee 
regue dans la communication pour produire une deuxieme signature numerique verifiable comme 
correspondant a la cle publique (154) de I'entite signataire (102); 

les etapes precedentes etant caracterisees en ce qu'il existe au moins une troisieme cle et au 
5 moins une quatrieme cle telles que : 

lorsque Ton remplace, par la troisieme cle, la premiere cle (153) de la premiere entite realisatrice 
(101) et, par la quatrieme cle, la deuxieme cle de la deuxieme entite realisatrice, 

et lorsque le contenu du message de la donnee (154; 157) qui a ete communique entre la premiere 
entite realisatrice (101) et I'entite signataire (102) est communique, au lieu de cela, entre la deuxieme 
70 entite realisatrice et I'entite signataire, 

et que le contenu du message de la donnee qui a ete communique entre la deuxieme entite 
realisatrice et I'entite signataire (102) est communique, au lieu de cela, entre la premiere entite 
realisatrice (101) et I'entite signataire, 

I'etape de traitement de la premiere entite realisatrice (101) fournit encore la premiere signature 
75 numerique (159) et I'etape de traitement de la deuxieme entite realisatrice fournit encore la deuxieme 
signature numerique. 

2. Un procede selon la revendication 1, caracterise en ce qu'il existe une repartition de probabilite pour un 
choix independant de la premiere cle et de la deuxieme cle afin qu'il soit, sensiblement, egalement 

20 probable que toute signature resultante a resulte d'un traitement sensible aux messages de donnees de 

la premiere communication qu'aux messages de donnees de la deuxieme communication. 

3. Un procede selon la revendication 2, caracterise en ce que la premiere et la deuxieme cles sont 
choisies de fagon sensiblement ind^pendante et sensiblement selon la repartition. 

25 

4. Un procede selon Tune quelconque des revendications precedentes caracterise en ce que des 
transformations algorithmiques sont utilisees au moins en partie comme source de la premiere et de la 
deuxieme cles. 

30 5. Un procede selon I'une quelconque des revendications precedentes, caracterise en ce que des 
phenomenes physiques imprevisibles sont utilises au moins en partie comme source de la premiere et 
de la deuxieme cles. 

6. Un procede selon I'une quelconque des revendications precedentes, caracterise en ce qu'une entite 
35 realisatrice choisit le message sur lequel la signature numerique est produite. 

7. Un procede selon I'une quelconque des revendications precedentes, caracterise en ce que plus de 
deux entites realisatrices developpent chacune une signature numerique. 

40 8. Un procede selon la revendication 6, caracterise par une impossibility sensiblement complete de relier 
un jeu de signatures numeriques au jeu correspondant de messages communiques avec les entites 
realisatrices. 

9. Un procede selon Tune quelconque des revendications precedentes, caracterise en ce qu'au moins une 
45 entite realisatrice developpe plusieurs signatures numeriques. 

10. Un procede selon I'une quelconque des revendications precedentes, caracterise en ce qu'une entite 
realisatrice (101) verifie une signature numerique (159) developpee. 

so 11. Un procede selon I'une quelconque des revendications precedentes, caracterise en ce qu'une signature 
numerique developpee par une entite realisatrice est verifiee par une autre entite (105). 

12. Un procede selon Tune quelconque des revendications precedentes, caracterise en ce qu'un jeu 
d'entites realisatrices forme chacune un produit avec un element derive* d'une cle" respective en formant 
55 la donnee de message respective envoy£e a I'entite signataire (102), et en ce que les etapes de 
traitement effectuees par les entites realisatrices comprennent la formation d'un produit de la donnee 
respective regue avec un inverse multiplicatif d'une forme signee de la cle respective, dans une 
structure finie ou sont definis cette multiplication et ces inverses multiplicatifs. 



17 



EP 0 139 313 B1 



13. Un procede selon Tune quelconque des revendications precedentes caracterise* en ce que : 

un premier signal de message t (155) est forme en transformant une premiere valeur m en utilisant 
une premiere cle k (153) selon liquation t = m/c° (mod n), ou e est une cle* publique de signature et n 
est un module public de signature; 
5 un deuxieme signal de message f (1 57) est forme en transformant le premier signal de message f 

(155) en utilisant une cle secrete de signature d selon I'equation t ' = t° (mod n); 

le deuxieme signal de message V est traite en utilisant la premiere cle k pour produire une 
signature numeVique m' d^crite par m' = rrf* (mod ri)\ et 

la signature numerique m' est verifiee en verifiant que m ,e = m (mod n). 

10 

14. Un procede selon Tune quelconque des revendications precedentes, caracterise en ce qu'il est utilise 
pour realiser Timpossibilite de retracer des transferts de valeurs. 

15. Un procede selon la revendication 14 caracterise en ce qu'une signature numerique, qui est regue en 
75 ^change d'une valeur, est ve>ifi£e. 

16. Un procede selon la revendication 15 caracterise en ce qu'une entite verificatrice maintient un 
enregistrement qui est fonction des signatures verifiees precedemment afin de detecter les signatures 
qui sont presentees plus d'une fois. 

20 

17. Appareil de chiffrage pour au moins une premiere entite realisatrice (101) et une deuxieme entite 
realisatrice pour developper des signatures numeriques (159) verifiables comme correspondant a une 
cle publique (154) d'identite* signataire (102), I'appareil comprenant : 

un moyen pour communiquer une donnee (155; 157) entre la premiere entite realisatrice (101) et 
25 I'entite signataire (102) comprenant un moyen sensible a une premiere cle (153) de la premiere entite 

realisatrice pour developper une donnee envoyee par la premiere entite realisatrice, et un moyen, 
sensible a au moins la cle privee (156) de I'entite signataire liee a la cle publique de I'entite signataire 
(154), pour developper une donnee (157) envoyee par I'entite signataire,; 

un moyen pour communiquer une donnee entre la deuxieme entite realisatrice et I'entite signataire 
30 (102) comprenant un moyen, sensible a au moins une deuxieme cle de la deuxieme entite realisatrice , 
pour developper une donnee envoyee par la deuxieme entite realisatrice et un moyen, sensible au 
moins a la cle privee (156) de^'entite* signataire liee a la cle publique (154) de I'entite signataire, pour 
developper une donnee envoyee par I'entite signataire; 

un moyen sensible la premiere cle (153) pour traiter une donnee (157) regue par la premiere entite 
35 realisatrice (101) afin de produire une premiere signature numerique (159) verifiable en tant que liee a 
la cle publique (154) de I'entite signataire (102); et 

un moyen sensible a la deuxieme cle pour traiter une donnee regue par la deuxieme entite 
realisatrice afin de produire une deuxieme signature numerique verifiable comme correspondant a la 
cle publique (154) de I'entite* signataire (102); 
40 caracterise en ce que les sources de cles sont susceptibles de realiser au moins une troisieme cle 

et au moins une quatrieme cle de telle maniere que : 

lorsque la premiere entite realisatrice remplace la premiere cle (153) par la troisieme cle et que la 
deuxieme entite realisatrice remplace la deuxieme cle par la quatrieme cle, 

et que le contenu du message de la donnee (155; 157) qui a ete* communique entre la premiere 
45 entite realisatrice (101) et I'entite* signataire (102) est communique, au lieu de cela, entre la deuxieme 
entite realisatrice et I'entite signataire, 

et que le contenu du message de la donnee qui a 6x6 communique* entre la deuxieme entite* 
realisatrice et I'entite signataire (102) est communique, au lieu de cela, entre la premiere entite 
realisatrice (101) et I'entite signataire, 
so le moyen de traitement de la premiere entite realisatrice (101) fournit encore la premiere signature 

numerique (159) et le moyen de traitement de la deuxieme entite realisatrice fournit encore la 
deuxieme signature numerique. 

18. Un appareil selon la revendication 17, caracteVise* en ce qu'il est preVu pour un jeu d'entites 
55 rdalisatrices, des moyens pour former chacune un produit avec un eminent deVive* d'une cle* respective 

pour former des messages de donn£es envoyes a I'entite signataire (102), et en ce que le moyen de 
traitement de chaque entite realisatrice comprend un moyen pour former un produit de donnee regu 
par un inverse multiplicatif d'une forme sign£e de la cle respective, dans une structure finie ou sont 



18 



EP 0 139 313 B1 



definis cette multiplication et ces inverses multiplicatifs. 

19. Un appareil selon la revendication 17 ou 18, caracterise en ce qu'il est prevu des moyens pour utiliser 
des transformations algorithmiques au moins en partie en tant que source de la premiere et de la 

5 deuxieme cles. 

20. Un appareil selon Tune quelconque des revendications 17 a 19, caracterise en ce qu'il est prevu des 
moyens pour utiliser des ph£nomenes physiques impr£visibles au moins en partie comme source de la 
premiere et de la deuxieme cles. 

10 

21. Un appareil selon Tune quelconque des revendications 17 a 20, caracterise en ce qu'il est prevu, a une 
entite realisatrice, un moyen pour choisir le message sur lequel la signature numerique est produite. 

22. Un appareil selon Tune quelconque des revendications 17 a 21, caracterise en ce qu'il est prevu, a une 
75 entite realisatrice (101), un moyen pour verifier une signature numerique d£velopp£e (159). 

23. Un appareil selon Tune quelconque des revendications 17 a 22, caracterise en ce qu'un jeu d'entites 
realisatrices transforme chacune un premier signal de message respectif en formant au moins un 
produit avec un element derive d'une cle correspondante, et en ce que le moyen destine au traitement, 

20 par les entites realisatrices, des messages de donnees resultants comprennent des moyens pour 

former un produit de donnees regu par un inverse multiplicatif d'une forme signee de la cle 
correspondante, dans une structure finie ou sont definis cette multiplication et ces inverses multiplica- 
tifs. 

25 24. Un appareil selon Tune quelconque des revendications 17 a 23, caracterise en ce que : 

il est prevu des moyens pour former un premier signal d'information t (155) en transformant une 
premiere donnee m en utiiisant une premiere cle k (153) selon la formule t = mk 3 (mod n), ou e est 
une cle publique de signature et n est un module public de signature; 

il est prevu des moyens pour former un deuxieme signal d'information V (157) en transformant le 
30 premier signal d'information t (155) en utiiisant une cle secrete de signature d selon t, = f* (mod n); 

il est pre*vu des moyens sont pour traiter le deuxieme signal d'information f en utiiisant la premiere 
cle k pour produire une signature numerique m f decrite par m' = rrf* (mod n)\ et 

il est prevu des moyens pour verifier la signature numerique /n' en verifiant que m' 9 = m (mod n). 

35 25. Un appareil selon I'une quelconque des revendications 17 a 24, caracterise en ce qu'il est utilise pour 
garantir I'impossibilite de retracer des transferts de valeurs. 

26. Un appareil selon la revendication 25, caracterise en ce que des moyens sont prevus pour verifier une 
signature numeVique recue en ^change d'une valeur. 

40 

27. Un appareil selon la revendication 26, caracterise en ce que des moyens sont prevus a une entite 
verificatrice pour maintenir un enregistrement qui est fonction de signatures verifiees precedemment 
afin de detecter des signatures qui sont presentees plus d'une fois. 

45 Patentanspriiche 

1. Verfahren zur VerschlUsseiung einer digitalen Unterschrift, bei dem mindestens eine erste Ausgeber- 
partei (101) und eine zweite Ausgeberpartei digitale Unterschriften entwickeln, die dahingehend uber- 
prufbar sind, dafl sie dem offentlichen Schlussel (154) einer unterzeichnenden Partei (102) entspre- 
50 chen, wobei das Verfahren folgende Schritte aufweist: 

Ubermitteln von Daten (155; 157) zwischen der ersten Ausgeberpartei (101) und der unterzeichnenden 
Partei (102), wobei die von der ersten Ausgeberpartei ubermittelten Daten (155) auf mindestens einen 
ersten SchlOssel (153) der ersten Ausgeberpartei ansprechen, wahrend Daten (157), die von der 
55 unterzeichnenden Partei ubermittelt werden, mindestens auf den privaten Schlussel (156) der unter- 
zeichnenden Partei ansprechen, wobei dieser Schussel mit dem offentlichen Schlussel (154) der 
unterzeichnenden Partei in Beziehung steht; 



19 



EP 0 139 313 B1 



Ubermitteln von Daten zwischen der zweiten Ausgeberpartei und der unterzeichnenden Partei (102), 
wobei die von der zweiten Ausgeberpartei ubermittelten Daten auf mindestens einen zweiten Schlussel 
der zweiten Ausgeberpartei ansprechen, wahrend Daten, die von der unterzeichnenden Partei ubermit- 
telt werden, auf mindestens den privaten Schlussel (156) der unterzeichnenden Partei ansprechen, 
5 wobei dieser Schlussel mit dem offentlichen Schlussel (154) der unterzeichnenden Partei in Beziehung 

steht; 

Verarbeiten der auf den ersten Schlussel (153) ansprechenden und durch die Obermittlung empfange- 
nen Daten (157) durch die erste Ausgeberpartei (101), um eine erste digitale Unterschrift (159) 
w herzustellen, die dahingehend uberprufbar ist, dafi sie mit dem offentlichen Schlussel (154) der 

unterzeichnenden Partei (102) in Beziehung steht; 

Verarbeiten der auf den zweiten Schlussel ansprechenden und durch die Obermittlung erhaltenen 
Daten durch die zweite Ausgeberpartei, zur Erzeugung einer zweiten digitalen Unterschrift, die dahinge- 
75 hend OberprUfbar ist, dai3 sie dem offentlichen SchlQssel (154) der unterzeichnenden Partei (102) 
entspricht; 

wobei die genannten Schritte dadurch gekennzeichnet sind, da/3 mindestens ein dritter Schlussel und 
mindestens ein vierter Schlussel besteht, derart, da/3: 

20 

wenn der erste Schlussel (153) von seiten der ersten Ausgeberpartei (101) durch den dritten Schlussel 
ersetzt wird, und der zweite Schlussel von seiten der zweiten Ausgeberpartei durch den vierten 
Schlussel ersetzt wird; 

25 und wenn der Nachrichteninhalt der Daten (155; 157), der zwischen der ersten Ausgeberpartei (101) 

und der unterzeichnenden Partei (102) ubermittelt wurde, jetzt zwischen der zweiten Ausgeberpartei 
(101) und der unterzeichnenden Partei ubermittelt wird; 

und wenn der Nachrichteninhalt der Daten, der zwischen der zweiten Ausgeberpartei und der unter- 
30 zeichnenden Partei (102) Ubermittelt wurde, jetzt zwischen der ersten Ausgeberpartei (101) und der 
unterzeichnenden Partei ubermittelt wird; 

dafl dann der Verarbeitungsschritt der ersten Ausgeberpartei (101) nach wie vor die erste digitale 
Unterschrift (159) liefeft, und der zweite Verarbeitungsschritt der zweiten Ausgeberpartei nach wie vor 
35 die zweite digitale Unterschrift liefert 

2. Verfahren nach Anspruch 1, dadurch gekennzeichnet, da/3 es eine Wahrscheinlichkeitsverteilung fur die 
unabhangige Wahl des ersten SchlCIssels und des zweiten Schlussels gibt, so da/3 bei jeder beliebigen 
resultierenden Unterschrift im wesentlichen die gleiche Wahrscheinlichkeit besteht, da/3 sie aus einer 

40 Verarbeitung hervorgegangen ist, die auf die Datennachrichten der ersten Mitteilung, wie auch auf die 
Datennachrichten der zweiten Mitteilung anspricht. 

3. Verfahren nach Anspruch 2, dadurch gekennzeichnet, da/3 der erste und der zweite Schlussel im 
wesentlichen unabhangig voneinander und im wesentlichen entsprechend der Verteilung gewahlt 

45 werden. 

4. Verfahren nach einem beliebigen vorhergehenden Anspruch, dadurch gekennzeichnet, da/3 Algorith- 
mentransformationen mindestens zum Teil als Quelle fur den ersten und den zweiten Schlussel benutzt 
werden. 

50 

5. Verfahren nach einem beliebigen vorhergehenden Anspruch, dadurch gekennzeichnet, daj3 unvorher- 
sehbare physikalische Phanomene mindestens zum Teil als Quelle fur den ersten und zweiten 
Schlussel benutzt werden. 

55 6. Verfahren nach einem beliebigen vorhergehenden Anspruch, dadurch gekennzeichnet, da/3 eine Ausge- 
berpartei die Nachricht wahlt, auf der die digitale Unterschrift erzeugt wird. 

7. Verfahren nach einem beliebigen vorhergehenden Anspruch, dadurch gekennzeichnet, daJ3 mehr als 



20 



EP 0 139 313 B1 



zwei Ausgeberparteien jeweils eine digitale Unterschrift entwickeln. 

8. Verfahren nach Anspruch 6, gekennzeichnet durch eine im wesentlichen totale Unverknupfbarkeit einer 
Gruppe digitaler Unterschriften mit der entsprechenden Gruppe von Nachrichten, die zwischen den 

5 Lieferparteien ubermittelt werden. 

9. Verfahren nach einem beliebigen vorhergehenden Anspruch, dadurch gekennzeichnet, da/3 mindestens 
eine Ausgeberpartei mehrere digitale Unterschriften entwickelt. 

10 10. Verfahren nach einem beliebigen vorhergehenden Anspruch, dadurch gekennzeichnet, da/3 eine Ausge- 
berpartei (101) eine entwickelte digitale Unterschrift (159) uberpruft. 

11. Verfahren nach einem beliebigen vorhergehenden Anspruch, dadurch gekennzeichnet, da/3 eine von 
einer Ausgeberpartei (101) entwickelte digitale Unterschrift von einer anderen Partei (105) uberpruft 

15 wird. 

12. Verfahren nach einem beliebigen vorhergehenden Anspruch, dadurch gekennzeichnet, da/3 bei einer 
Gruppe von Ausgeberparteien jede Partei ein Multiplikationsprodukt mit einem Element bildet, das 
einem entsprechenden Schlussel bei der Erstellung der entsprechenden Datennachricht entnommen 

20 wird, die an die unterzeichnende Partei (102) ubermittelt wird, und da/3 die Verarbeitungsschritte der 

Ausgeberparteien die Bildung eines Produktes der jeweiligen empfangenen Daten und einer multiplika- 
tiven Umkehrung einer unterschriebenen Form des jeweiligen Schlussels in eine finite Struktur einbe- 
ziehen, in der die Multiplikation und multiplikative Umkehrungen definiert werden. 

25 13. Verfahren nach einem beliebigen vorhergehenden Anspruch, dadurch gekennzeichnet, da/3: 

ein erstes Nachrichtensignal t (155) durch Transformation eines ersten Wertes m unter Benutzung 
eines ersten Schlusselst k (153) entsprechend der Formel t ■ m x k e (mod n) gebildet wird, wobei e ein 
offentlicher Unterschriftsleistungsschlussel und n ein offentlicher Unterschriftsmodul ist; 

30 

ein zweites Nachrichtensignal f (157) durch Transformation des ersten Nachrichtensignals t (155) unter 
Verwendung eines geheimen Unterschriftsleistungsschlussels d entsprechend der Formel t'= f 1 (mod n) 
gebildet wird; 

35 das zweite Nachrichtensignal t' unter Benutzung des ersten Schlussels k verarbeitet wird, urn eine 
digitale Unterschrift m' zu erzeugen, die durch die Formel m' ^ m d (mod n) beschrieben wird; und 

die digitale Unterschrift rrT dadurch UberprGft wird, da/3 die Formel m' e = m (mod n) erfullt wird. 

40 14. Verfahren nach einem beliebigen vorhergehenden Anspruch, dadurch gekennzeichnet, da/3 es im 
Hinblick auf die Erzielung der Unnachvollziehbarkeit des Wertetransfers benutzt wird. 

15. Verfahren nach Anspruch 14, dadurch gekennzeichnet, da/3 eine digitale Unterschrift, die im Austausch 
von Werten empfangen wird, uberpruft wird. 

45 

16. Verfahren nach Anspruch 15, dadurch gekennzeichnet, da/3 die prOfende Partei ein Verzeichnis uber 
fruher geprufte Unterschriften fuhrt, urn Unterschriften ermitteln zu k5nnen, die mehr als einmal 
prasentiert worden sind. 

50 17. Verschlusselungsgerat fur mindestens eine Ausgeberpartei (101) und eine zweite Ausgeberpartei zur 
Entwicklung digitaler Unterschriften (159), die dahingehend uberprufbar sind, da/3 sie einem offentlichen 
Schlussel (154) einer unterzeichnenden Partei (102) entsprechen, wobei das Gerat folgende Kompo- 
nenten aufweist: 

55 Einrichtungen zum Ubermitteln von Daten (155; 157) zwischen der ersten Ausgeberpartei (101) und der 
unterzeichnenden Partei (102), mit Einrichtungen zur Ermittlung von durch die erste Ausgeberpartei 
ubermittelten Daten, die mindestens auf einen ersten Schlussel (153) der ersten Ausgeberpartei 
ansprechen, und mit Einrichtungen zur Ermittlung von durch die unterzeichnende Partei ubermittelten 



21 



EP 0 139 313 B1 



Daten (157), die auf mindestens den privaten SchlUssel (156) der unterzeichnenden Partei ansprechen, 
wobei dieser SchlUssel mit dem dffentlichen SchlUssel der unterzeichnenden Partei (154) in Beziehung 
steht; 

5 Einrichtungen zum Ubermitteln von Daten zwischen der zweiten Ausgeberpartei und der unterzeichnen- 

den Partei (102), mit Einrichtungen zur Entwicklung von durch die zweite Ausgeberpartei ubermittelten 
Daten, die auf mindestens einen zweiten Schlussel der zweiten Ausgeberpartei ansprechen, und mit 
Einrichtungen zur Entwicklung von durch die unterzeichnende Partei ubermittelten Daten, die auf 
mindestens den privaten Schlussel (156) der unterzeichnenden Partei ansprechen, wobei dieser 

w Schlussel mit dem offentlichen Schlussel (154) der unterzeichnenden Partei in Beziehung steht; 

Einrichtungen zur Verarbeitung von Daten (157), die von der ersten Ausgeberpartei (101) empfangen 
wurden und auf den ersten Schlussel (153) ansprechen, um eine erste digitale Unterschrift (159) zu 
erzeugen, die dahingehend uberprufbar ist, da/3 sie mit dem offentlichen Schlussel (154) der unter- 
75 zeichnenden Partei (102) in Beziehung steht; und 

Einrichtungen zur Verarbeitung von Daten, die von der zweiten Ausgeberpartei empfangen wurden und 
auf den zweiten Schlussel ansprechen, um eine zweite digitale Unterschrift zu erzeugen, die dahinge- 
hend uberprufbar ist, da/3 sie mit dem offentlichen Schlussel (154) der unterzeichnenden Partei (102) 
20 entspricht; 

dadurch gekennzeichnet, 

da/3 die SchlUsselquelfen mindestens einen dritten SchlUssel und mindestens einen vierten SchlUssel 
liefern konnen, derart, da/3: 

25 

wenn von der ersten Ausgeberpartei (101) der erste SchlUssel (153) durch den dritten Schlussel ersetzt 
wird, und von der zweiten Ausgeberpartei der zweite SchlUssel durch den vierten Schlussel ersetzt 
wird; 

30 und wenn der Nachrichteninhalt der Daten (155; 157), der zwischen der ersten Ausgeberpartei (101) 
und der unterzeichnenden Partei (102) Ubermittelt wurde, jetzt zwischen der zweiten Ausgeberpartei 
und der unterzeichnenden Partei ubermittel wird; 

und wenn der Nachrichteninhalt der Daten, der zwischen der zweiten Ausgeberpartei und der unter- 
35 zeichnenden Partei (102) ubermittelt wurde, jetzt zwischen der ersten Ausgeberpartei (101) und der 

unterzeichnenden Partei Ubermittelt wird; 

da/3 dann die Verarbeitungseinrichtungen der ersten Ausgeberpartei (101) nach wie vor die erste 
digitale Unterschrift (159) liefern, und die Verarbeitungseinrichtungen der zweiten Ausgeberpartei nach 
40 wie vor die zweite digitale Unterschrift liefern. 

18. Gerat nach Anspruch 17, dadurch gekennzeichnet, da/3 Einrichtungen fUr eine Gruppe von Ausgeber- 
parteien vorgesehen sind, wobei jede Gruppe ein Multiplikationsprodukt mit einem Element bildet, das 
einem entsprechenden Schlussel bei der Bildung von an die unterzeichnende Partei (102) Ubermittelten 
45 Datennachrichten entnommen wird, und da/3 die Verarbeitungseinrichtungen jedes Ausgebers Einrich- 

tungen aufweisen, die zur Bildung eines Produktes der empfangenen Daten und einer multiplikativen 
Umkehrung einer unterschriebenen Form des entsprechenden Schlussels in einer finiten Struktur 
dienen, in der die Multiplikation und die multiplikativen Umkehrungen definiert werden. 

so 19. Gerat nach Anspruch 17 Oder 18, dadurch gekennzeichnet, da/3 Einrichtungen vorgesehen sind, um 
Algorithmentransformationen mindestens teilweise als Quelle fur den ersten und den zweiten SchlUssel 
zu benutzen. 

20. Gerat nach einem beliebigen Anspruch 17 bis 19, dadurch gekennzeichnet, da/3 Mittel vorgesehen sind, 
55 um unvorhersehbare physikalische PhSnomene mindestens zum Teil als Quelle fur den ersten und den 

zweiten Schlussel zu benutzen. 

21. Gerat nach einem beliebigen Anspruch 17 bis 20, dadurch gekennzeichnet, da/3 bei einer Ausgeberpar- 



22 



EP 0 139 313 B1 



tei Einrichtungen vorgesehen sind, um die Nachricht auszuwahlen, auf der die digitale Unterschrift 
angebracht ist. 

22. Gerat nach einem beliebigen Anspruch 17 bis 21, dadurch gekennzeichnet, da/3 bei einer Ausgeberpar- 
tei (101) Einrichtungen vorgesehen sind, um eine entwickelte digitale Unterschrift (159) zu uberprufen. 

23. Gerat nach einem beliebigen Anspruch 17 bis 22, dadurch gekennzeichnet, da/3 bei einer Gruppe von 
Ausgeberparteien jede Partei ein entsprechendes erstes Nachrichtensignal mindestens durch Bilden 
eines Produktes mit einem Element transformiert, das einem entsprechenden Schlussel entnommen 
wird, und da/3 die Einrichtungen zur Verarbeitung der durch die Ausgeberparteien entstehenden 
Datennachrichten Einrichtungen aufweisen, die zur Bildung eines Produktes empfangener Daten mit 
einer multiplikativen Umkehrung einer unterschriebenen Form des entsprechenden Schlussels in einer 
finiten Struktur dienen, in der die Multiplikation und die multiplikativen Umkehrungen definiert sind. 

24. Gerat nach einem beliebigen Anspruch 17 bis 23, dadurch gekennzeichnet, da/3: 

Einrichtungen zur Bildung eines ersten Informationssignals t (155) durch Transformation erster Daten m 
unter Verwendung eines ersten Schlussels k (153) entsprechend der Formel: t = m x k? (mod n) 
vorgesehen sind, wobei e ein offentlicher UnterschriftsleistungsschlLissel und n ein offentlicher Unter- 
schriftsmodul ist; 

Einrichtungen zur Erzeugung eines zweiten Informationssignals t" (157) durch Transformation des 
ersten Informationssignals t (155) unter Verwendung eines geheimen UnterschriftsleistungsschlUssels d 
entsprechend der Formel: t 1 = V s (mod n) vorgesehen sind; 

Einrichtungen zur Verarbeitung des zweiten Informationssignals t' unter Verwendung des ersten 
Schlussels k zur Erzeugung einer digitalen Unterschrift m' vorgesehen sind, die durch die Formel m' = 
m d (mod n) beschrieben wird; und 

Einrichtungen zur Uberprufung der digitalen Unterschrift m' durch den Nachweis vorgesehen sind, da/3 
die Formel: m ,e s m (mod n) erfUllt wird. 

25. Gerat nach einem beliegigen Anspruch 17 bis 24, dadurch gekennzeichnet, da/3 es im Hinblick auf die 
Erzielung der Unnachvollziehbarkeit des Wertetransfers benutzt wird. 

26. Gerat nach Anspruch 25, dadurch gekennzeichnet, da/3 Einrichtungen zur Uberprufung eines im 
Austausch fur Werte empfangenen Digitalsignals vorgesehen sind. 

27. Gerat nach Anspruch 26, dadurch gekennzeichnet, da/3 bei der uberprufenden Partei Einrichtungen 
vorgesehen sind, um ein Verzeichnis von fruher uberpruften Unterschriften zu fuhren, anhand dessen 
Unterschriften ermittelt werden, die mehr als einmal prasentiert worden sind. - 



23 



EP 0 139 313 B1 



m 

.-151 121 



153- 



-101 
-103 



MOD MULTIPLY 



152- 



122 



MOD b EXP' p| 



123 



KEY SOURCE 



126 

t 



MOD INVERSE [ 



104 



125 ^156^- 



i ! 



MOD MULTIPLY I— I — I 
I i I 



FIGURE 1 



! ! 

J 



155 



154 



124 102 

. 1 — , 156 

MOD ° EXP P h — 4 — d\ 



I " — I ■ 



-157 



— s — 
159 



127 105 

*--«-.-, 



b MOD EXP pj " 



"ri6i 



353 



302- 



REGISTER 



I 



352 
s 



354 



FIGURE 3 303 



i 



355 

-4- 



304 



" MOD MUITIPIY | 



-357 



305 



MOD SUBTRACT m 
- | 



1- 



1 



e 

DIVIDE 

3 — t 



3^6 



-358 360 
- L_ 



-362 



351 



1 



REGISTER 



301 



359 



REGISTER 



3 



-306 



REGISTER 



|^3 61 
^J-307 



24 



EP 0 139 313 B1 



FIG.2a 



FIG.2b 



FIG.2c 



453- 



m 



m 



m 



m 



m 



m 



203 
4 



blind I- 



1 



unblind l- 
» ' 



r 




sign Y- 202 



204 
221 



blind f- 
—I — J 





unblind J 







225 
i2L 



blind 



t 

i 2 



unblind | 



235 



b 

|-451 



REGISTER 



401 



MOD MUITIPLY~^ -4Q2 



455~[ 



FIGURE A 



222 



'1,2 





sign] 


— 


unblind 


.'1.2 











224 
2?2 

b lind | W ^ 



Sl 9 n f233 



unblind 



1.2 



234 



452 



P 

J-457 



SHIFT 



403 



MOD MULTIPLY" [ 



454- 



i REGISTER c 



436 



--405 



458 



404 



25 



EP 0 139 313 B1 



953- 



h551 - 3/3- 
REGISTER 



< 1 



552 



1 



557 



SHIFT 



MOD ADD -502 



555{ 



-558 



503 



MOD ADD ' I 



554~ 



--505 



i REGISTER cU— 
-r S-* 



FIGURE 5 



~i — 

556 



504 



652 



f / 

i 

m 



m 



654-1 








1 


602- 


- MOD ADD 1 



s 

j-651 



SUBTRACT s 6Q1 



-655 
751 H K/S2 



FIGURE 6 



Li: 



ADD 



n 

754' 



753- 



m 



SUBTRACT -H 702 
755 

FIGURE 7 



3^701 



n 

-756 



COMPARE j-703 



SELECT c 



758 



i 



-757 



704 



26 



JEuropaisches Patentamt 
European Patent Office © Publication number: 0 139 313 

Office europeen des brevets ^2 



© EUROPEAN PATENT APPLICATION 

© Application number: 84201160.3 © Int. CI. 4 : H 04 L 9/00 

© Date of filing: 13.08.84 



© Priority: 22.08.83 US 524896 


© Applicant: Chaum, David, Prof. Dr. 

Centrum voor Wiskunde en Informatica Postbus 4079 


© Date of publication of application: 


NL-1109 AB Amsterdam(NL) 


02.05.85 Bulletin 85/18 


© Inventor: Chaum, David, Prof. Dr. 


® Designated Contracting States: 

AT BE CH DE FR GB IT U NL SE 


Centrum voor Wiskunde en Informatica Postbus 4079 
NL-1109 AB Amsterdam(NL) 



< 

5 



Blind signature systems. 
© A cryptographic system allows, in one exemplary use a 
supplier (101) to cryptographically transform a plurality' of 
messages responsive to secret keys; the transformed mes- 
sages to be digitally signed by a signer (102); and the signed 
transformed messages returned to the supplier (101) to be 
transformed by the supplier (101), responsive to the same 
secret keys, in such a way that a digital signature related to 
each original message is developed by the supplier (101). 
One important property of these systems is that the signer 
(102) can not determine which transformed message re- 
ceived for signing corresponds with which digital signature- 
even though the signer (102) knows that such a correspond- 
ence must exist 



Ll51 121 yio\ 



i 
i 

I L 



153+4 I 

I -QF 



MOO MULT1PIY 
MOObEXP' pi 



! ' 1 126 TO 

j r - t-f-^ i 

J I I MOO INVERSE | | 

,! >r« 



I 

! i r— ■ — *- 

| | I MOO MULTIPLY 



zz-Al 



FIGURE 1 



154 



124 

r:— H- 

j I MOD b EXP p 
• 



102 

-J. 

156 ! 



-157 



r— -f; 




0) 



EL 

JJ 



Croydon Printing Company Ltd. 



0139313 



- 1 - 

BLIND SIGNATURE SYSTEMS 



BACKGROUND OF THE INVENTION 

1. Field of the Invention, 

This invention relates to cryptographic systems, and more 
5 specifically to systems including public key digital signatures. 

2. Description of Prior Art. 

The concept of digital signatures promises to be an important 
one in commercial applications of cryptographic techniques. The 
digital signatures concept is quite simple. Suppose a bank wishes 

0 to be able to make digital signatures that can be checked by all its 
customers. The bank develops a mathematical function, and supplies 
all its customers, and anyone else who cares to know, complete 
instructions for efficiently computing the function. The trick is, 
that when the bank developed the function, it included in it a trap- 

5 door. This trapdoor allows the bank to efficiently compute the 
inverse of the function. Because it is infeasible to compute the 
inverse of the function without knowing the trapdoor, only the bank 
can compute the inverse of the function. Thus, if a customer of the 
bank sees a message that could only have been created by someone who 

0 knows how to compute the inverse of the function, then the the cus- 
tomer knows that the message must have come from the bank. 

The concept of digital signatures was first proposed in the 
literature by Diffie, et al, in "Multiuser Cryptographic Tech- 
niques," AFIPS — Conference Proceedings, Vol, 45, pp. 109-112. The 
5 first really practical example functions with the required trapdoor 
properties were disclosed by Rivest, Shamir and Adleman, in "A 
Method for Obtaining Digital Signatures and Public-Key Cryptosys- 
tems," Communications of the ACM, Vol. 21, No. 2, February 1978. 



0139313 



- 2 - 

This system has become known as "RSA n , after its inventors, and 
remains the most credible candidate for widespread use. It is based 
on two main ideas. The first is that is relatively easy for someone 
to create a large number for which only he knows the prime factors. 
5 (One way to accomplish this is for the creator to form the number as 
the product of two suitable sufficiently large primes chosen at ran- 
dom. Such primes are easily found by random trial and error since 
the density of primes even in the neighborhood of 50 digit numbers 
is on the order of one percent, and reasonably efficient primality 
10 tests are well known in the art.) The second main idea is that 

knowing the prime factors of the modulus under which exponentiation 
is performed allows one to produce pairs of exponents that behave as 
inverses. 

In other words, consider the function f(x) = x e mod n, to be the 
15 result of raising x to the power e and then finding the remainder 
after dividing by n. There may be a number d, such that 
g(x) = x d mod n and g(f(x)) s f(g(x)) = x. If one chooses primes p 
and q and a suitable e, one can readily compute a corresponding d, 
simply as the multiplicative inverse of e modulo ((p-1) • (q-D), 
20 such modular multiplicative inverses to be described. It is thought 
to be almost impossible to compute d from e and n without knowing p 
and q, and almost impossible to determine p and q from n. Thus, if 
e and n are made public, anyone can compute f(x), but only the crea- 
tor of n can compute the inverse g(x). 

25 There are a variety of ways to use such a "public signature 

function" and its inverse "secret signature function" to make digi- 
tal signatures. In general, it is not desirable to maintain that 
any message which results from applying the public signature func- 
tion is a valid signed message. The reason is that anyone could 

30 create a number at random and claim that it was a signature on the 
message that results when the public signature function is applied. 
One solution to this problem, is to designate some sub-set of the 
messages as "valid messages" such that, for example, only one in 



01 3931 3 



- 3 - 

TO 50 messages Is valid. Thus someone would have to apply the public 
signature function to an average of 5 • 10*^ random messages, (which 
may not be a credible threat) before obtaining a valid message as a 
result. (An RSA system with a one-hundred digit modulus would still 

5 have 10 50 possible valid messages.) The process of "checking" a 
digital signature in such a scheme involves applying the public sig- 
nature function to the digital signature to be checked, and deter- 
mining whether the resulting number is a member of the set of valid 
messages. 

10 It is anticipated that a bank may wish to use digital signa- 

tures to validate various numbers that are to serve as electronic 
money. The bank will form digital signatures of valid numbers, and 
sell them to individuals by charging the individuals 1 accounts say 
one dollar for each signed number. These digitally signed numbers 

15 might be thought of as electronic bank "notes". An individual can 
check the digital signature on such a digitally signed note by 
applying the public signature function of the bank to the note and 
verifying that the result is a valid message. When the individual 
wishes to pay for some goods or services, say for example, buying 

20 something costing one dollar at a shop, the individual gives the 
digitally signed note to the shop as payment. The shop can then 
check the digital signature on the note. If the result of the check 
is positive, then the shop can supply the digital signature to the 
bank, who can deposit one dollar in the shop's account, after again 

25 checking the signature on the note. The bank will also keep a list 
of the valid numbers which have been previously cleared, to prevent 
the same one from being used more than once. Of course, many dif- 
ferent denominations of such digitally signed bank notes might actu- 
ally be offered for sale by the bank, each denomination using a dif- 

30 ferent pair of signature functions. 

The problem with such payments systems possible under the prior 
art is that the bank will always be able to know which account a 
note was withdrawn from and which account it is ultimately deposited 



0139313 



- 4 - 

to — and this poses serious problems from a personal privacy perspec- 
tive. As more and more payments transactions become automated, and 
more and more data associated with transactions is captured elec- 
tronically, a tremendous amount of data about a person 1 s habits, 
affiliations, lifestyle, whereabouts etc. could be captured by the 
bank in electronic form. This places the bank in a position it 
would rather not be in, because it has to to convince its customers 
that it handles this data properly, and also because of possible 
legal exposure, there will be various costs, restrictions on and 
interference with operating procedures and personnel. The customers 
of the bank are also placed in an undesirable position, since there 
may always be some doubt as to how such data is actually being used 
or might be used in the future. 

This examples illustrates the need for signature systems that 
do not allow the signer to trace all things validated with his sig- 
nature. Many other similar situations, such as, notaries, stock, 
bond, and other certificates, credentials, authorizations etc. are 
also anticipated. 

OBJECTS OF THE INVENTION 

Accordingly, it is an object of the present invention to pro- 
vide a system utilizing digital signatures in which the provider of 
a message for signing can transform the message to be signed into a 
form which obscures the content of the message, the signer can sign 
the transformed message and return it to the provider, and the pro- 
vider can transform the signed message in such a way that the result 
retains the digital signature property related to the original mes- 
sage content, but the result is not readily associated with the 
transformed message received by the signer. 

Another object of the present invention is to provide a system 
which can be used in a payments or other type of system as 



01 39313 



- 5 - 

previously described, wherein, for example, the provider may choose 
a valid bank note message at random, transform it, have it signed in 
transformed form, and transform it back to a form related to the 
original note but bearing a digital signature property. 

5 Another object of the invention is to provide a system with the 

additional property that the security of the system against linking 
of the transformed messages received by the signer with the signed 
messages ultimately revealed by the provider does not rely on argu- 
ments based on computational infeasibility . 

10 Another object of the invention is to provide additionally the 

property that if only j things are signed, then no more than j sig- 
natures can be developed by the provider (s). 

Yet another object of the invention is to allow messages to be 
transferred through what might be thought of as a series of more 
15 than one provider on the way to the signer and return through a 
related series of providers. 

Still another object of the invention is to provide efficient, 
economical and practical apparatus and methods fulfilling the other 
objects of the invention. 

20 Other objects, features, and advantages of the present inven- 

tion will be appreciated when the present description and appended 
claims are read in conjunction with the drawing figures. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 shows a combination functional and detailed block 
25 diagram of a blind signature system in accordance with the teachings 
of the present invention. 

FIG. 2a shows a block diagram of a single provider use in 



0139313 



- 6 - 

accordance with the teachings of the present invention. 

FIG. 2b shows a block diagram of a first two provider use in 
accordance with the teachings of the present invention. 

FIG. 2c shows a block diagram of a second two provider use in 
5 accordance with the teachings of the present invention. 

FIG. 3 is a detailed schematic diagram of an exemplary embodi- 
ment of a modular inverter. 

FIG. 4 is a detailed schematic diagram of an exemplary embodi- 
ment of a modular exponentiator . 

10 FIG. 5 is a detailed schematic diagram of an exemplary embodi- 

ment of a modular multiplier. 

FIG. 6 is a detailed schematic diagram of an exemplary embodi- 
ment of a modular subtractor. 

FIG. 7 is a detailed schematic diagram of an exemplary embodi- 
15 ment of a modular adder. 

BRIEF SUMMARY OF THE INVENTION 

In accordance with these and other objects of the present 
invention, a brief summary of an exemplary embodiment is presented. 
The concept of blind signatures may be understood by an analogy 

20 based on carbon paper lined envelopes. Suppose Alice supplies Bob 
with a first envelope and a second envelope, each containing a piece 
of carbon paper facing a blank white slip of paper. Bob signs both 
envelopes on the outside with identical signatures and returns them 
to Alice. Alice privately removes the paper slips from the 

25 envelopes, each slip now bearing a carbon image of Bob's signature; 
places the slips in a random order; presents them to Bob; and asks 
him which slip was in the first envelope. Bob can not answer with 



0139313 



- 7 - 

certainty, though he knows each slip was in an envelope he signed, 
because he does not know which slip was in which envelope. 

Turning now to FIG. 2a, one exemplary embodiment will be 
described in simplified form to introduce some central concepts, but 
5 such description should not be taken to limit the scope of the 
invention, which is described more fully elsewhere in the present 
specification. Two cryptographic transformations, "blinding" 203 
and "unblinding" 20H, are shown depending on a secret cryptographic 
key k. A digital signature transformation 202 is shown, which 
10 depends of secret signing information not shown for clarity. 

The original message m (corresponding to the blank slip of 
paper in the analogy above) is first encrypted by blinding transfor- 
mation 203 (which corresponds with placing the slip in the special 
envelope), resulting in transformed message t (corresponding to the 

15 slip in the envelope). A digital signature responsive to the 

transformed message t is then developed by signing transformation 
202 (corresponding with Bob signing the outside of the envelope), 
and is shown as t f (corresponding to the signed envelope). The 
unblinding transformation 204 takes t 1 and converts it, by use of 

20 key k into a variant m f of the original message m which retains a 
signature property (corresponding to the signed slip removed from 
the envelope by the party who placed it there). 

This entire procedure would normally be repeated more than 
once, say 1 times, using a fresh key ky 1<j<l, each time (just as 

25 there were multiple envelopes in the analogy). Thus, a set of 

signed values fa^} are generated (corresponding to a set of signed 
slips), as well as a set of transformed values {t^} (corresponding 
to a set of envelopes). An important property of such a blind sig- 
nature system is that if the signer knows only the two unordered 

30 sets, and not the keys k^, then the signer is unable to readily 
^determiner the correspondence between the elements of the two sets 
(just as Bob was unable to tell which slip was from which 



01 39313 



- 8 - 

envelope) — even though the signer is assured by the signature pro- 
perty that such a correspondence must exist. 

In one embodiment of the present invention, based on the RSA 
digital signature system as earlier described, the following 
congruences might hold: 

t = [m] . k e (mod n), 

t' = [m - k e ] d = m d . k (mod n),and 

m' = [m d . k] . k" 1 £ m d (mod n), 

where n is the publicly known modulus and e and d are exemplary pub- 
lic and private signature exponents respectively. The square brack- 
ets show the input to the transformation whose output is shown on 
the right hand side, and thus they define the function of each of 
the three transformations. The signature property of m* might be 
checked by anyone with access to the public signing function based 

on e, simply by forming m te mod n and checking whether the result is 
a valid message m. 

GENERAL DESCRIPTION 

General descriptions of the functions of some constituent parts 
of the present invention will be presented. 

Line 155 shows the output of blinding transformation 103 being 
input to signing transformation 102; line 157 shows the output of 
signing transformation 102 being input to unblinding transformation 
104; line 159 shows the output of unblinding transformation 104 
being input to signature checker. 105. The method or means whereby, 
such information is transferred as shown by these lines is not 



01 39313 



- 9 - 

essential to the present invention, and may be accomplished in any 
suitable way. For example, the output or input means may be brought 
into physical proximity with each other, or they may communicate 
remotely by any kind of communication network or other technique. 
The information may be encoded in various forms, some of them cryp- 
tographic, and decoded and transformed between codings on its way. 
Similarly the information may be stored and/or detained in various 
forms along its way. 

The term "party* is used herein to indicate an entity with con- 
trol over some secret information. In some cases, a party might be 
a person who knows a secret cryptographic key. It is anticipated 
that a plurality of people may each know part or all of some key 
matter, and then they might collectively be thought of as a party. 
In other cases, a key may normally be known only to apparatus and 
not people, and the apparatus or the people able to utilize the 
apparatus may be regarded as parties. Different people may use the 
same apparatus each with different keys, assuming they all have some 
trust in the apparatus, and then they might be regarded as separate 
parties. Thus, for example, signature transformation 102 may be 
regarded as a step in a method or part of an apparatus, and/or it 
may be regarded as a party, and it may be called signer 102 or 
signer party 102. 

Key source 123 is shown without inputs and with output 153. 
The function of key source 123 is to output a value normally at 
least partially unknown to at least the signer party 102. It is 
preferred that the output is nearly completely unknown outside the 
provider 101, and may not even be known to any persons but to only 
apparatus. The term "secret key" may be used herein to refer to 
information, such as the output of key source 123, that is normally 
supposed to be unknown to various parties. Many means and methods 
are known in the art for generating such keys. One approach uses 
unpredictable physical phenomena, such as noise in a semiconductor 
or other electronic component or radioactive decay, or timing of 
events generated by asynchronous processes, such as humans pushing 



01 3931 3 



- 10 - 

buttons. Another approach uses algorithmic transformations on other 
secret information. Of course these two approaches can readily be 
combined. The output of the key source is shown as input to 
transformations 103 and 104. The probability distribution of keys 

5 is obviously of interest. In the preferred embodiment, they are 
preferably as nearly uniformly distributed as practical. The output 
may be generated initially for one, and then retained, possibly in 
encrypted form, and/or in some protected and/or tamper indicating or 
tamper responding apparatus. An equivalent approach for the present 

10 invention would be re-generating the key algorithmically each time 
it is needed. 

Signature checker 105 is shown taking its input from the output 
of unblinding transformation 104, line 159, and producing output 
161, shown in the preferred embodiment as m. The function of 

15 checker 105 is to produce an indication of whether the input value 
has the properties of a valid signature. An implicit input is the 
public signature information, shown as e in the preferred embodi- 
ment. The authenticity of this information forms the basis for the 
authenticity decision about the signature input, and thus such 

20 information may be shown contained within checker 105. Checker 105 
serves a logical function of indicating whether or not the signature 
appears to have been transformed using the secret signature informa- 
tion corresponding to the public signature information; any means or 
method performing this function may be regarded as a signature 

25 checker. (Other data may also be output by the checker 105, such as 
parameter values included during formation of the signature.) 

Various signature means and methods are known or would be obvi- 
ous to those skilled in the art. One method, that of choosing a 
subset of tfie domain of the signature function as valid messages, 
30 has already been described. Another approach might not make such a 
restriction, but might instead rely on information additional to the 
output of the signature function for input to the checking function. 
One-way functions "may be thought of" as public functions without pub- - 
licly known inverses, such functions being well known in the art, 



0139313 



- n - 

such as the public function of an RSA system as earlier described, 
or those first disclosed by Purdy in "A High Security Log-in Pro- 
cedure," Communications of the ACM, Vol. 17, No. 8, August 1974, 
p442. Suppose the range of a one-way function y(x) is the domain of 
5 a private signing function g(x), with public signature function 
inverse f(x). One way to use such functions to form digital signa- 
tures is to form a signature, s, as the secret signature function of 
the image of the desired message, a, under the one-way function, 
s = g(y(a)). A signature can be authenticated under such a scheme 

10 if numbers a and s are presented to the checker 105, such that 
y(a) = f(s). Notice that if the domain of y is larger than its 
range, then it serves to compress the matter to be signed. Also 
notice that if the domain of y is smaller than the range of g, then 
all or part of the number a may be encoded as the rest of the domain 

15 of g. In some cases a strict one-way property may not be required. 

Signing transformation 102 outputs some transformation of its 
input which depends on signing information at least secret from the 
other parties, shown as d in the preferred embodiment. Various 
exemplary signing transformations have been described above, but the 

20 function of the signing transformation should be regarded as any 
transformation at least partially responsive to the information to 
be signed and to secret signing information, such that some suitable 
checking function can be performed meaningfully. The term party, as 
mentioned earlier, may be used when referring to the signing 

25 transformation 102, and then it would be appropriate to say signer 
102. 

Blinding transformation 103 takes a message from line 151, 
shown as m in the preferred embodiment, and a secret key from line 
153. The nature of the source of m is not essential to the present 
30 invention, but the particular value of m resulting in an actual par- 
ticular output of blinding transformation 103 received by signer 102 
should not normally be revealed to the signer 102 by such a source, 
as this would allow the correspondence to be learned by the signer. 
The function of blinding transformation 103 is to produce output 



01 39313 



- 12 - 

that does not normally reveal the actual message input to those not 
in possession of the secret key k, and to cooperate with the singing 
and unblinding transformations, as will be described. Thus, the 
blinding transformation may be thought of as a cryptographic 
5 transformation which hides some message by use of a key, with addi- 
tional properties that allow it to cooperate with the other 
transformations . 

Unblinding transformation 104 takes a key from line 153 and a 
value from the signature transformation 102 on line 157* and pro- 

10 duces an output shown as line 159. The function of unblinding 
transformation 104 is to transform its input into a form which 
"retains a digital signature property related to original message 
m". In other words, a checker 105 should be able to return a posi- 
tive result when supplied output of unblinding transformation 104, 

15 and possibly other appropriate information, such result indicating 
that a signature related to the original message m has been authen- 
ticated. 

Several possible properties of blind signature systems will be 
described in accordance with the teachings of the present invention. 

20 One general property of a blind signature scheme is that the 

blinding transformation should make it difficult, if not impossible, 
to determine the message m with certainty from the transformed mes- 
sage t without key k. For the purposes of the present description, 
this property will be referred to as "hiding", and thus it may be 

25 said that the blinding transformation hides the message. In the 

preferred embodiment, as mentioned earlier, the blinding transforma- 
tion includes multiplying modulo n by k e . If e is rion-zero and 
fixed and coprime with <t(n), and k is chosen from the interval 0 to 
n-1, then the signing function g(k) = k e (mod n) is one-to-one and 

30 onto. If m is coprime with n, then h(m) ^ g(k) • m (mod n) is one- 
to-one and onto. Thus, under the assumptions of proper e, and m 
coprime with n ? ..jl. p^ticular value of t could correspond with any 
value of m, with unique suitable k. In a sense then, it is believed 



01 39313 



- 13 - 

that, the security of the hiding in the blinding transformation of 
the preferred embodiment is comparable to that of the so called 
one-time pad, when GCD(m,n) = GCD(e,4>(n)) = 1, and k chosen uni- 
formly from the interval 0 to n-1. Of course, if e is not coprime 
5 with 4>(n) then certain messages may have no signature; and if it is 
likely that m is not coprime with n, then it is likely that someone 
can guess a factor of n, or providers could use Euclid's algorithm 
to reject any non-coprime m. 

Another property of a blind signature scheme which may be 
10 important in some anticipated applications will be called "conserva- 
tion of signatures" • This property requires that it not usually be 
easy for someone to construct a set of transformed messages such 
that after each member of the set is signed, more authenticatable 
signatures can be derived than original members of the set were 
15 signed. The preferred embodiment, as mentioned earlier and to be 
described in detail, is believed to have this property in practice, 
when suitable signature authentication techniques are used, such as 
when a strong one-way function of suitably large range and domain is 
used in the signature authentication scheme, as described earlier. 
20 One possible explanation for this property holding is that a set of 
1 signed things can be thought of as giving at most 1 equations, and 
these can be solved for at most 1 unknowns. 

Yet another property of a blind signature system will be called 
the inability to "link", which may be understood as follows. Sup- 

25 pose there are 1 different messages, m"j for Kj<l. Each message is 
the input to a blinding transformation, using key kj, and the result 
is 1 blinded messages tj. (It is not essential whether each message 
is blinded by a different party, all messages are blinded by the 
same party, or various parties each blind some subset of the mes- 

30 sages.) Suppose further that the signer applys the signing 
transformation to each blinded message ty and returns each 
transformed messages t f j to its provider. Further suppose that each 
provider applies the appropriate unblinding transformation to each 



0139313 



-14 - 

t 1 y yielding a collection of 1 unique messages m'j, each bearing a 
signature property. Suppose still further that the signer receives 
an unordered set whose 1 elements are exactly the m f y which may be 
denoted {m^} for 1<i<l. Finally, assume that the signer knows only 
5 the 1 things he has signed, ty and the set {m^}, and no outside 
information about the provider (s), their keys, or information flows 
from or to the provider (s). The signer can "link" the things 
received for signing t^ with the things known to have the signature 
property {m^}, if and only if he can determine with certainty for 

10 every element of {m^}, the unique tj which corresponds with the 
same message m, under the assumptions above. If nothing at all can 
be known about the correspondence, under the assumptions above, not 
even associating different probabilities with different correspon- 
dences, then the blind signature system may be said to be "com- 

15 pletely unlinkable." The term "blinded" may be used to indicate 
that it is not usually easy to completely link. For example, one m* 
and one t may be said to be blinded from each other without k, if it 
can not usually easily be determined without k that the two 
correspond . 

20 In the preferred feMbodiment, as mentioned earlier and to be' 

described in detail, it is believed to be possible to come close to, 
or in same cases under certain assumptions even achieve, complete 
unlinkability. A possible explanation for this might be that for 
each possible way to put the 1 items into correspondence, there 

25 could exist a unique set of values for the keys k , such that this 
would be the true correspondence, but assuming each k is chosen so 
that all values are equally likely, all possible correspondences are 
equally likely. (Of course the question of actual generation of 
randan numbers from a perfectly uniform distribution is beyond the 

30 scope of the present description.) It is believed that one possible 
explanation of this may be seen by considering the position of the 
signer as- follows. He has two sets of values: ft-}, and {m^}. If 
he assumes that t v corresponds with m* u , then he can determine the 



0139313 



- 15 - 

unique k which would have been used to form t v . This may be accom- 
plished by solving the congruence • k^ ^ m'® (mod n), for k v . To 
do this, one may first compute the multiplicative inverse of m u 
modulo n, and assuming that ra and n are coprime, as mentioned ear- 
5 lier, there is a unique such value* Then the unique product of this 
value and t is formed, modulo n. Finally, the result is raised to 
the d power modulo n, producing a unique result, assuming that e is 
coprime with 4>(n). Thus, under the assumptions, for every possible 
way the two sets could be linked, there exists unique choices for 

10 the keys k^ that would make this the true linking, and, as mentioned 
above, since the ks are by assumption chosen from a uniform distri- 
bution, all such choices for the keys k^ are equally likely, and so 
all possible linkings are equally likeily. This concept is further 
illustrated by numerical examples as will be presented in the 

15 detailed description of the preferred embodiment. 

Referring now to FIG. 2, several exemplary modes of use in 
accordance with the teachings of the present invention will be 
presented . 

FIG. 2a shows a mode of use with only a single cryptographic 
20 blinding and corresponding cryptographic unblinding transformation, 
as mentioned earlier. The message m is transformed by cryptographic 
blinding transformation 203 into transformed message t, which is 
input to signature transformation 202, which transformation depends 
on secret signing information, not shown for clarity. The output of 
25 the signing transformation, t 1 , is input to the unblinding transfor- 
mation 20*1, which transformation depends on key k, and which 
transformation produces output m f , bearing a signature property 
related to the m. (Notice that blinding transformation 203, signa- 
ture transformation 202 and unblinding transformation 204 of FIG. 2a 
30 correspond with blinding transformation 103, signature transforma- 
tion 102 and uhbii riding traris'f ormatiori 104 of FIG . 1 , respectively . ) 

Referring now to FIG. 2b, a first mode of use is shown with two 



0139313 



- 16 - 

cryptographic blinding transformations, two cryptographic unblinding 
transformations, and two separate keys for these transformations. 
The original message m is transformed by blinding transformation 
221, which transformation depends on key k^, producing output shown 

5 as tjt and then supplied as input to blinding transformation 222, 
which transformation depends on key k^, and whose output is shown as 
t- 0 . Signing transformation 223 takes this multiply transformed 
message as input and produces, in a way depending on secret signing 

information, not shown for clarity, output shown as t* 0 . This 

if 2 

10 output is shown as input to unblinding transformation 224, which 

depends on key k^ 9 and produces output shown as t 1 ^. This output is 
input to unblinding transformation 225, which depends on key k^, and 

which produces output shown as m» retaining a digital signature pro- 
perty related to m. 

15 In one use of this mode based on the preferred embodiment, 

described earlier and to be described in detail, the following 
congruences might hold: 

t 1 = m • k® (mod n), 
t^ 2 = t^ . k| (mod n), 

tf lj2 - *i~2 - md 9 k 1 ' k 2 * mod n) ' 
t' 1 = tf 1j2 ' k 2 1 - m<i * k 1 (mod n) * 
m» = t f 1 • k~ 1 E m d (mod n), 

and the checking function can be based on the congruence 

m ,e a m (mod n). fHus^the blinding transformation. 224 and 225 a& 
25 well as the unblinding transformation 222 and 224 are each nearly 



0139313 



- 17 - 

the same as in the single key mode of the preferred embodiment to be 
described in detail. 

If only a single party with access to both keys k 1 and uses 
this mode, then it may be equivalent to a single key use, as in the 

5 preferred embodiment. The present mode may have additional bene- 
fits, advantages and features, however, in some anticipated applica- 
tions. Consider the case where one party holds k^ and a second 
holds k 2 . Both parties become mutually dependent once the signature 
transformation has been made: the first party requires the coopera- 

10 tion of the second to transform t f 0 into m f ; similarly, the second 
party requires the cooperation of the first to transform t 1 ^ into 
m f ♦ In the embodiment described above, the second party can check 
that the signer 223 has performed the proper function, by checking 
that t, 0 r t 1 ® 0 (mod n). The first party is in a position to 

1,2— 1 , d 

15 check the signature function performed by signer 223 by checking 
that t 1 = t 1 ® (mod n), but this function is also available to the 
single provider party in a single non-signer party mode of use, but 
it is anticipated that the signature would normally be checked by 
the single party by checking that m == m ?e (mod n) . Notice also that 

20 the communication between the second party and signer 223 in the 
present mode is obscured from the first party. For example, the 
second party may be second party to several first parties, and they 
may not know which of the communications with signer 223 include 
their particular values of m. Similarly, the second party may 

25 obscure from the signer which of the communications with first 

party (s) correspond to particular signature transformations made by 
signer .223. In some embodiments, such as the preferred embodiment, 
it may even be the case that cooperation between the first party and 
signer 223 to determine the correspondence between communications 

30 known to one and communications known to the other can be thwarted 
by the second party. . 

Of course the present discussion can readily be generalized to 



0139313 



- 18 - 

a use based on a plurality of provider parties—not just two or 
fewer non-signer parties. In a multiple provider party use based on 
the preferred embodiment: each party performs transformations just 
as if they were in a single or two non-signer party use as described 
5 herein; parties may readily check that the signature property has 
been properly applied and transferred by the signer and those par- 
ties on the signers side; and any intermediary party is able to 
thwart attempted linking even by cooperation of all other parties. 

Referring now to FIG. 2c, a second mode of use is shown with 
10 two cryptographic blinding transformations, two cryptographic 

unblinding transformations, and two keys for these transformations. 
The original message m is transformed by blinding transformation 
231, which transformation depends on key k^, producing output shown 
as t 1$ and then supplied as input to blinding transformation 232, 
15 which transformation depends on key k 2> and whose output is shown as 

t. Q . Signing transformation 233 takes this multiply transformed 

if 2 . 

message as input and produces, in a way depending on secret signing 
information, not shown for clarity, output shown as tf lf2 * This 
output is shown as input to unblinding transformation 234, which 
20 depends on key k^ and produces output shown as t' 2 . This output is 
input to unblinding transformation 235, which depends on key k 2 , and 
which produces output shown as m 1 , retaining a digital signature 
property. 

In one embodiment of this mode of use based on the preferred 
25 embodiment, described earlier and to be described in detail, the 
following congruences might hold: 

t 1 z m • k® (mod n), 

t 1,2 = t i • kf (mod n), 
t' lf2 = t<5 * m d -k, . ^(modn), 



0139313 



- 19 - 



t f 2 £ t' 1j2 . k~ 1 = m d . k 2 (mod n), 



m f = t' 2 . k" 1 = m d (mod n), 

and the checking function can be based on the congruence 

m te = m (mod n). Thus, the blinding transformation 231 and 235 as 
5 well as the unblinding transformation 232 and 234 are each nearly 
the same as in the single key mode of of the preferred embodiment to 
be described in detail. 

Again, little advantage may result if one party uses two 
separate keys. The present mode may have additional benefits, 

10 advantages and features, however in some anticipated applications. 
Consider the case where one party holds k^ and a second holds k^, as 
before. In the earlier described first two provider mode of use, 
the second party could cheat the first party by simply discarding 
and supplying some t 2 of the second parties 1 choice to signer 223. 

15 Then the second party could unblind the resulting t f 2 received from 
signer 223, and obtain the signature property on something chosen 
only by the second party, leaving the first party without the 
expected message bearing the signature property. In the present 
mode, however, if the signer only signs t when supplied by the 

20 second party, and returns the t 1 only to the first party, then 
neither party can cheat the other. 

Of course both modes shown with two non-signer parties can 
readily be generalized in combination: a message travels through one 
permutation of the parties on the way to the signer and through a 
25 possibly different permutation on the way back. The no linking pro- 
perty is believed to still hold for any single intermediary party; 
the no cheating property holds for a party if no cheating party is . 
between the party, and the signer in at least one direction. 



0139313 



- 20 - 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENT 

Turning now to FIG, 1, a detailed description of a preferred 
embodiment of the present invention is presented. One party to the 
system will be referred to as the "provider", shown as contained in 
5 the dashed box 101 • Another distinguished party in the system is 
the "signer", shown as contained within dashed box 102. A key 
source for developing a secret key preferably confidential to the 
provider, is shown contained within the provider 101. A secret 
signing key, d, is shown contained within signer 102. The provider 
10 also contains the ability to perform two transformations. A "blind- 
ing" transformation 103 and an "unblinding" transformation 104. A 
checking function 105 is also shown. 

The message m appear on line 151 as one multiplicand input to 
modular multiplier 121, such multipliers to be described. The other 

15 multiplicand input to modular multiplier 121 is from line 152, which 
is the output of modular exponentiator 122, such modular exponentia- 
tors to be described. The base input to exponentiator 122 appears 
on line 153, and is the key output from key source 123, such key 
sources described earlier. The exponent, or as used equivalently 

20 herein, the powerer input to exponentiator 122 is from line 154, and 
is the public signature exponent shown sis e. The product output of 
multiplier 121 appears on line 155, which line is the base input to 
modular exponentiator 124. The exponent to exponentiator 124 is the 
secret signing key shown as d, which appears on line 156. The out- 

25 put of the exponentiator 124, in this embodiment, is the digital 
signature of its input base from line 155, and appears on line 157, 
which is input to modular multiplier 125. The other multiplicand 
input to multiplier 125 appears on line 158, which is the output of 
modular inverter 126, such modular inverters to be described. The 

30 modular inverter takes its input from the key source 123 mentioned 
earlier as line- 153*— The product output of modular multiplier 125 
appears on line 159, which is base input to modular exponentiator 
127. The power input to exponentiator 127 is shown as e on line 



0139313 



- 21 - 



160. The output of exponentlator 127 is shown as m on line 161. 

The operation of the preferred embodiment shown in FIG. 1 will 
now be described in detail. A message m is obtained on line 151 by 
the provider. A key appears on line 153, denoted as k, preferably 
5 secret to the provider, is developed by key source 123, and is 
preferably chosen from the interval 0 to n-1 with each value as 
nearly equally likely as practical. The blinding transformation 103 
takes these two inputs, lines 151 and 153, and forms a blinded mes- 
sage denoted as t on its output line 155, such that 

10 t = m • k e (mod n). These functions of the blinding transformation 
103 are accomplished as follows. Modular exponentlator 122 takes 
the key k as its base input from line 153 and takes the public sig- 
nature key e from line 15U, and outputs on line 152 a value 
congruent modulo n to k«. Modular multiplier 121 takes this value 

15 from line 152 and forms the modulo n product with the input m from 
line 151, and the product output appears on line 155. 

Now the signer 102 may obtain the blinded message t from line 
155, and will normally output a digital signature of t on line 157, 
the output denoted as f , such that f = t d ( mo d n), where d is the 
20 secret signing exponent of the signer mentioned earlier. These 
functions of the signer 102 are accomplished as follows. Modular 
exponentlator 124 takes its base input from line 155, takes its 
power input from line 156, and its output appears on line 157. 

Now the provider may perform the unblinding transformation, 
25 shown as 104. The output of the signer, f , and the secret key k 
are inputs to this function and it produces, in this embodiment, a 
digital signature on m, denoted m» , such that m» = m d (mod n). This 
function of the unblinding transformation is performed as follows. 
The multiplicative inverse of the secret key k is formed by the 
30 modular inverter 126. Then the product modulo n of the multiplica- 
tive inverse, shown as k- 1 , and the signed blinded message t' from, 
line 157 is formed by modular multiplier 125, and its output appears 



01 3931 3 



- 22 - 



on line 159- 

At some latter time, one or more parties may wish to check or 
authenticate the digital signature m« on the original message to. 
This function may be performed by checking that m = m' e , and that m 
5 is a valid message, as described earlier. This function can be per- 
formed by the modular exponential 127, which takes its base input 
from line 159 and its power from line 160, and whose output appears 
on line 161. A specific example of further checking for valid mes- 
sages or the like is not shown for clarity, but such techniques 
10 would be obvious from the earlier description, and are well known to 
those of ordinary skill in the art. For example, the binary 
representation of the value on line 161 could be split into two 
halves, and the number considered valid if the result of comparing 
the two halves indicates they are identical. 

15 The following table illustrates the operation of one use of the 

preferred embodiment by associating the various line numbers in the 
first row and their symbolic names in the second, with the exemplary 
values in the remaining nine data rows. The table uses an RSA sys- 
tem based on primes 29 and 31 chosen by the signer. The modulus 
20 made public by the signer would then be n=29 • 31 = 899. The signer 
is assumed to have chosen e to be 17, (possibly after checking that 
GCD(17,<Kn))=1) and computed its multiplicative inverse modulo *(n)= 
(29-1) • (31-1)=840, and with the result d = 593. Of course such a 
system is based on numbers far too small to be secure. (Finding k" 1 
25 for the value of k in the first data row is the subject of an exam- 
ple of the operation of the modular inverter to be described.) 
Notice that the first and second data rows have the same t values as 
the penultimate and last data rows respectively, but that their mes- 
sages m are interchanged with different values of k, as mentioned 
30 earlier. 



0139313 



23 - 



151 


153 


1*52 


1<s5 


1 C7 


ICO 

158 


159 


m 


k 


k e 


fr 




K 


m' 


628 


255 


886 


826 


19 


691 


543 


254 


685 


84 


659 


698 


21 


274 


40 


393 


210 


309 


340 


716 


710 


153 


440 


212 


72 


541 


615 


85 


755 


748 


16 


393 


110 


256 


291 


623 


111 


107 


135 


601 


81 


135 


724 


308 


461 


235 


69 


108 


260 


254 


548 


520 


826 


19 


251 


274 


628 


94 


807 


659 


698 


373 


543 



Referring now to FIG. 3, a detailed description of an exemplary 
embodiment of a modular multiplicative inverter, herein called a 
modular inverter, is presented. The number to be inverted appears 
on line 351, and is initially loaded into register 301. The output 
of register 301 appears on line 352, which is input to register 302, 
which takes its initial value, the modulus n, from line 353, and has 
output on line 354. Ordinary arithmetic divider 303, takes its 
dividend from line 354 and its divisor from line 352, its quotient 
output appears on line 355 and its remainder output appears on line 
356. Such binary arithmetic dividers for unsigned integers are well 
known in the art, for example see K. Hwang, "Computer Arithmetic: 
principles, architecture, and design" John Wiley, 1979, Chapter 7. 
Line 356 is input to register 301, described earlier. Line 355 is 
input to modular multiplier 304, such multipliers to be described. 
The output of modular multiplier 304 is line 357, which is sub- 
trahend input to modular subtracter 305, such subtracters to be 
described. The difference output of modular subtractor 305 is line 
358, which is input to register 306, which takes its initial value 
°_ f J from } ine 359 and whose^ output appears on line 360. Modular 
multiplier 304 already described takes one of its multiplicand* " 
inputs from line 360. Register 307 takes input from line 360, takes 



0139313 



- 24 - 



its initial value of 0 fro, line 3 61, and its output appears on line 
362. Line 3 62 is minuend input for modular subtracter 305 already 
described, and is the output of the modular inverter. 

A detailed description of the operation of the modular inverter 
5 of FIG. 3 is now presented. The modular inverter takes an input 
fr om line 351 whose value is between 0 and n-1, and produces on the 
output line 362 a value between 0 and n-1 which is congruent to the 
.ultiplicative inverse modulo n of the value input. The principle 
of operation is based on a variation of Euclid's algorithm, and 
10 well Known in the art. See Knuth, D.E., "The Art of Computer Pro- 
gramming: Volume 2/ Seminumerical Algorithms," Addison-Wesley, 1969, 
Euclid's algorithm, page 297, exercise 4.5.2 #15 on page 315, and 
answer to exercise 4.5.2 #15 on page 523- Initially register 302 
contains n, register 301 contains the input from line 351, register 
15 306 contains 1, and register 307 contains 0. The operation proceeds 
synchronously by clock pulses sufficiently spaced to allow all ines 
to settle between pulses. Clock pulses occur until the first time 
that the contents of register 301 are 0. The clock and associated 
lines, as well zero detector for register 301, are not shown for 
20 clarity, but would be obvious to those skilled in the art from the 
present description. Before the first clock pulse and after each 
clock pulse, divider 303 divides the contents of register 302 by he 
contents of register 301 and supplies the quotient to modular multi- 
plier 304 and the remainder to the input to register 301. Once. the 
- 25 quotient value settles, modular multiplier 304 forms the modulo n . 
product of the quotient and the contents of register 306, and sup- 
plies the product as the minuend input to modular subtracter 305. 
Once the product value settles, modular subtracter 305 subtracts 
m odulo n the product fro. the contents of register 307 and supplies^ 
30 the difference to an input of register 306. With the rising edge of 
each clock pulse, register 302 latches in new contents from line 
352, and register 307 latches in new contents from line 360. During 
the falling W of each clock^pulse F register 30V latches in new. - 
contents from line 356, and register 306 latches in new contents 



01 39313 



- 25 - 



fro* line 358. The duration of each clock pulse is short enough 
that the output of modular subtracter 3 05 and the remainder output 
356 of divider 3 0 3 do not change between the rising and falling edge 
of a clock pulse. B 

5 The following table illustrates the operation of the modular 

inverter by showing the contents of the various registers at the end 
of each cycle. Cycles #0 shows the initial state; and as can be 
seen from the first row, the number whose inverse is sought is 255 
initially in register 301, and the modulus n is 8 9 9, initially in ' 
10 register 3 02. As can be seen from the row of cyole *6, the result 
in register 3 07 is 691. 



25 15 



30 20 







register 


number 


cycle 


301 


302 


306 


307 


#0 


255 


899 


1 


0 


#1 


134 


255 


896 


1 


#2 


121 


134 


4 


896 


#3 


13 


121 


892 


4 


#4 


k 


13 


67 


892 


#5 


1 




691 


67 


#6 


0 


1 


0 


691 



Turning now to FIO. 4, a detailed deaeriptlon of an exemplary 
TT™ 0t ' "*°«ntlator le presented for oompl.teneea . 

35 relT IT " "~ * 5 '' " " *** *• 

, k!' ^ ° UtPUt ° f re8l3ter *» ««■— - "52, whieh 

la both multiplioand mputa to modular multiplier 102, to be 

-deacribed. The output of modular- multiplier 402, line ,53, la an - 
data input to regiater ,0,. The output of regiater 401, line 452 
la one multiplicand Input to modular multiplier 103. The product' 
40 output of modular multiplier ,03 appaara on line 454 and i, a data 
- . -input . for regiater ,p».. ,The..inltlal- value- for register .404 iaH and- 
la ahown on line 455. The oontent, of regiater 404 appear on line 



013931 3 



- 26 - 



2,56, which is input to modular multiplier 403 and also output of the 
modular exponential . The exponent input appears on line 457 and 
is initial data input for ordinary right shifting binary shift 
register 405. The rightmost bit of shift register 405 appears as 
5 its output on line 458, which line enables the latching function of 
register 404, to be described. 

A detailed description of the operation of the exemplary modu- 
lar exponentiator of FIG. 4 is now presented. The modular exponen- 
tial takes two inputs, a base from line 451 (represented as a 
10 value between 0 and n-1) and a power from line 457 (a positive 

binary integer), and produces on its output line 4 5 6 a value between 
0 and n-1 that is congruent modulo n to the base raised to the 
power. The principle of operation is to form the product of the 
base raised to all powers of two that correspond with set bits in 
15 the exponent. (For example, notice that 21 = 2°+2 2 +2 k , and 

5 21 _ 5 . 5 2 2 . 5 2 U . 476837158203125.) Initially, the base and 
exponent are in registers 401 and 405 respectively, and register 404 
is reset to one. The operation proceeds in 1 cycles, where 1 is the 
number of bits used to represent numbers between 0 and n-1. At the 
20 end of each of the 1 cycles a clock line (not shown for clarity) is 
raised briefly from the zero state to the one state and then 
returned to the zero state. During the first cycle, the contents of 
register 401 is squared (modulo n) by modular multiplier 402 and 
appears on line 453, and the modulo n product of the content of 
25 register 401 and register 404 is developed by modular multiplier 403 
and appears on line 454. At the end of the first cycle, on the ris- 
ing edge of the first clock pulse, the value on line 453 is latched 
into register 401, the value on line 454 is latched into register 
404 only when the enabling value on line 458 is a one bit, and on 
30 the falling edge of the clock the contents of register 405 is 
shifted one bit to the right. During each of the 1-1 subsequent 
cycles, the new products settle on lines 453 and 454, and at the end 
" of the cycle,- with the-rising edge of the clock; the value on line 
453 is latched into register 401, and the value on line 454 is 



0139313 



- 27 - 

latched into register 404 if and only if line 458 has the enabling 
value of a one bit, and with the falling edge of the clock, the con- 
tents of register 405 is shifted one bit to the right. Thus, after 
the fall of the clock pulse 1, the last clock pulse, all the origi- 
5 nal bits of register 405 have been shifted out, register 401 con- 
tains a number congruent modulo n to the value on line 451 squared 1 
times, and the content of register 404 is the desired value and is 
on the output line 456 of the modular exponentiator. 

Referring now to FIG. 5, a detailed description of an exemplary 
10 embodiment of a modular multiplier is presented for completeness. 
One multiplicand input appears on line 551, which is an input to 
register 501. The output of register 501 appears on line 552, which 
is both addend inputs to modular adder 502, to be described 
described. The output of modular adder 502, line 553, is an input 
15 to register 501. The output of register 501, line 552, is one 

addend input to modular adder 503. The sum output by modular adder 
503 appears on line 554 and is a data input for register 504. The 
initial value for register 504 is 0 and is shown on line 555. The 
contents of register 504 appear online 556, which is input to modu- 
20 lar adder 503 and also output of the modular multiplier. The second 
multiplicand input appears on line 557 and is data input for ordi- 
nary right shifting binary shift register 505. The rightmost bit of 
shift register 505 appears as its output on line 558, which line 
enables the latching function of register 504, to be described. 

25 A detailed description of the operation of the exemplary modu- 

lar multiplier of FIG. 5 is now presented. The modular multiplier 
takes two multiplicands, one from each of lines 551 and 557, each 
represented as a value between 0 and n-1, and produces on its output 
line 503 a value "between 0 and n-1 that is congruent modulo n to the 

30 product of the multiplicands. The principle of operation is to form 
the sum of one multiplicand multiplied by all powers of two that 
correspond with set bits in the other multiplicand. (Notice, for 
example/ that 21 * 2 0 + 2 2 + 2 4 , and " " ''" 

13 • 21 = 13 . 2° + l 3 • 2 2 + 13 • 2* = 273.) Initially, the 



0139313 



- 28 - 

multiplicands are in registers 501 and 505, and register 504 is 
reset to zero. The operation proceeds in 1 cycles, where 1 is the 
number of bits used to represent numbers between 0 and n-1. At the 
end of each of the 1 cycles a clock line (not shown for clarity) is 

5 raised briefly from the zero state to the one state and then 

returned to the zero state* During the first cycle, the contents of 
register 501 is doubled (modulo n) by modular adder 502 and appear 
on line 553, and the modulo n sum of the content of register 501 and 
register 50* is developed by modular adder 503 and appears on line 

10 554. At the end of the first cycle, on the rising edge of the first 
clock pulse, the value on line 553 is latched into register 501, the 
value on line 554 is latched into register 504 only when the ena- 
bling value on line 558 is a one bit, and on the falling edge of the 
clock the contents of register 505 is shifted one bit to the right. 

15 During each of the 1-1 subsequent cycles, the new sums settle on 

lines 553 and 554, and at the end of the cycle, with the rising edge 
of the clock, the value on line 553 is latched into register 501, 
and the value on line 554 is latched into register 504 if and only 
if line 558 has the enabling value of a one bit, and with the fal- 

20 ling edge of the clock, the contents of register 505 is shifted one 
bit to the right. Thus, after the fall of the 1th (final) clock 
pulse, all the original bits of register 505 have been shifted out, 
register 501 contains a number congruent modulo n to the value on 
line 551 doubled 1 times, and the content of register 504 is the 

25 desired value and is on the output line 556 of the modular multi- 
plier. 

Referring now to FIG. 6, a detailed description of an exemplary 
embodiment of a modular subtractor is presented for completeness. 
The subtrahend to the modular .subtractor is on line 65-1 which is- the 

30 subtrahend to ordinary arithmetic subtractor 601, such ordinary 
arithmetic binary subtractors with positive integer inputs being 
well known in the art. The minuend input to subtractor 601 is on 

line 652 and is th^mpdulus ru__. The result of the ordinary .subtract.. 

tor 601 appears on line 653. Modular adder 602, to be described, 



01 3931 3 



10 



- 29 - 

takes the difference from line 653 and the minuend for the modular 
subtracter from line 654, and produces the modulo n sum as its out- 
put on line 655. 

The detailed operation of the modular subtractor of FIG. 6 is 
now described. Its inputs are numbers between 0 and n-1 and it pro- 
duces a number between 0 and n-1 which is congruent to the differ- 
ence of the input numbers modulo n. A number congruent to the addi- 
tive inverse modulo n of the subtrahend from line 651 is developed 
by subtractor 601, by subtracting from n, and transmitted by line 
653 to modular adder 655, and then added modulo n to the minuend on 
line 654, producing the result on line 655. 



Referring now to FIG. 7, a detailed description of an exemplary 
embodiment of a modular adder is presented for completeness. The 
two numbers to be added are supplied on lines 751 and 752, which are 
15 the summand inputs to ordinary binary adder 701, such ordinary 

binary arithmetic adders being well known in the art. The output of 
adder 701 is supplied by line 753 to the subtrahend input to ordi- 
nary binary subtractor 702. The minuend supplied subtractor 702 on 
line 754 is the modulus n for the modular addition. The result of 

20 the ordinary subtraction by subtractor 702 appears on line 755. 

Ordinary binary comparator 70 3 , such comparators being well known in 
the art, takes one comparend input from line 753 and the other eom- 
parend from line 756, which is the modulus n, and develops a single 
output bit indicating the result of the comparison, which output 

25 appears on line 757. Selector 704 takes its two data inputs from 
lines 755 and 753, and its control input from line 757, has output 
on line 758, the output of the modular adder, and outputs data from 
line 753 if comparator output 757 indicates that data value on line 
753 is less than the data value on line 756, and outputs data from 

30 line 755 otherwise. 

The operation of the exemplary modular adder of FIG. 7 will now 
be described in detail. The modular adder takes two numbers between 
0 and n, not both n, and produces as output a third numbers between 



0139313 



- 30 - 

0 and n-1 which is congruent to the sum of the inputs modulo n. Two 
numbers to be added modulo n appear on lines 751 and 752 and are 
added by ordinary arithmetic producing a sum on line 753. The sum 
is subtracted from n by subtractor 702 with the result on line 755. 
The sum is compared with n by comparator 703, with the result on 
line 757. If the comparison indicates that the sum is less than n 
then the sum is between 0 and n-1 and is output on line 758; other- 
wise the sum is at most n too large, and the difference of the sum 
and n f rom line 755 is output on line 758. 

While these descriptions of the present invention have been 
given as examples, it will be appreciated by those skilled in the 
art that various modifications, alternate configurations and 
equivalents may be employed without departing from the spirit and 
scope of the present invention. 



01 3931 3 



- 31 - 

Claims: 

1. In digital signature cryptographic apparatus, the improve- 
ment characterized by blind signature systems comprising: 

first transformation means responsive to a first key taking a first 
5 input and producing a first output hiding the first input from 

those without the first key; 

digital signature means for transforming said first output respon- 
sive to a second secret key and producing a second output; and 

second transformation means for transforming said second output, 
10 responsive to said first secret key, producing a third output, 

while preserving a digital signature property related to said 
first input and said first output not readily linkable to the 
third output without the first secret key. 

2. In digital signature cryptographic apparatus, the improve- 
15 ment characterized by blind signature systems comprising: 

key source means for developing a first key for use by a first 

party, said first key normally at least secret from a second 
party; 

first cryptographic transformation means allowing said first party 
20 to transform a message depending at least in part on said 

first secret key and rendering said message not readily recog- 
nizable without said first key; 
first communication means for transmitting said transformed message 
from said first cryptographic transformation means of said 
25 first party to said second party; 

digital signature means allowing said second party to develop a 
digital signature responsive to said transformed message 
received from said first communication means depending at 
least in part on a signing key, said signing key normally at 
30 least secret from said first party; 

second communication means for transmitting said digital signature 

from said digital signature means of said second party to said 
first party; and 



0139313 



- 32 - 

second cryptographic transformation means depending at least in part 
on said first secret key allowing said first party to 
transform a digital signature of said transformed message 
received from said second communication channel into a digital 
5 signature relating to said message and not readily distin- 

guishable without said first key as resulting from a particu- 
lar said transformed message, 

3. In the apparatus of claims 1 & 2, first transformation 
means, signing transformation means, and second transformation 
10 means, such that said third output equivalent to output of said 
signing means if said message input to said signing means. 

U. In the apparatus of claims 1 & 2, 
first transformation means including means for developing residue 
modulo the public modulus of multiplication by the first key 
15 raised to a public signing power; 

signing transformation means including means for developing residue 
modulo the public modulus of exponentiation to a power depend- 
ing on the signing key; and 
and second transformation means including means for multiplying by 
20 the multiplicative inverse of the first key modulo the public 

modulus. 

5. In the apparatus of claims 1 & 2, first transformation 
means such that there almost always exists some first key that would 
cause the first transformation of any particular message to be any 

25 particular transformed message. 

6. In the apparatus of claims 1 & 2, key source means for 
choosing said first key from a distribution making almost every pair 
of messages resulting from said first and second transformations 
nearly equally likely to correspond. 

30 7. In the apparatus of claims 1 & 2, key source means for 

- choosing said firat- key from a nearly uniform distribution and first 
and second transformation means such that there almost always exists 



01 3931 3 



- 33 - 

a unique first key that would cause the first transformation of any 
particular message to be any particular transformed message. 

8. Blind signature apparatus as described in claims 1 & 2, 
such that said first transformation means having input signals m and 
5 first key k and producing output signals described by 

t = m • k e (mod n) 

where e = a public signing exponent, and n = a public signa- 
ture modulus; 

said signing transformation means having input signals t and secret 
0 signing key d and producing output signals t» described by 

t' £ t d (mod n);and 

said second transformation means having input signals t' and first 
key k and producing output signals m' described by 

m» _= m d (mod n). 



9. In a digital signature cryptographic method, with a first 
party supplying messages to a second party who returns to the first 
party a digital signature on supplied messages, the improvement 
comprising blind signature systems characterized by the steps of: 
generating a first secret key at the first party, said key normally 

at least unknown to said second party; 
transforming a message with said first secret key, producing a first 

transformed message; 
transmitting said first transformed message to said second party; 
forming a digital signature of said first transformed message with a 

secret signing key, said secret signing key normally not known 

to said first party; 
transmitting said digital signature from said second party to said 



01 39313 



- 34 - 

first party; and 

transforming said digital signature at said first party with said 

first secret key producing a second transformed message, such 
that said first transformed message and the second transformed 
5 message are not readily determined to correspond without 

knowledge of said first secret key, and the second transformed 
message bearing a digital signature property related to said 
message. 

10. In a digital signature method, the improvement comprising 
10 a blind signature cryptographic method characterized by the steps 
of: 

transforming an original message with a first secret key; 

forming a digital signature of said transformed message; 

transforming said signed transformed message with said first secret 
15 key, such that a digital signature related to the original 

message results, and the correspondence between the signed 
message and the first transformed message is not obvious 
without said first secret key. 

11. In the method of claim ? & 10, choosing said first secret 
20 key such that almost every result of the first transformation step 

could correspond with almost every result of the second transforma- 
tion step with nearly equal likelyhood. 

12. In the method of claim 9 & 10, 

first transformation step of the message with the first key includ- 
25 ing forming the product of the first key raised to the public 

signing power and the message modulo the public signing 
modulus; 

signing step including raising the transformed message to the secret 
signing exponent modulo the public signing modulus; and 
30 second transformation step including forming the multiplicative 

inverse of the first key modulo the public signing modulus and 
- .... forming the product of this- with the result of the signing 
step. 



°139313 



- 35 - 



10 



15 



13. in cryptographic apparatus, the improvement comprising a 
blind signature system comprising: 

first blinding means for transforming a message responsive to a 

first secret key producing a first output; 
second blinding means for transforming output of said first blinding 
means responsive to a second secret key producing a second 
output; 

digital signature means for developing a digital signature related 

to said second output, responsive to a secret signing key; 
first unblinding means for transforming said digital signature,' 
responsive to a first one of said first and second secret 
keys, producing a third output; and 
second unblinding means for transforming said third output, respon- 
sive to a second one of said first and said second secret 
keys, producing a fourth output, and the fourth output having 
a digital signature property related to said message, and said 
first output and said fourth output not readily linkable 
without both the first and the second secret keys. 

1U. In a digital signature cryptographic method, the improve- 
20 ment comprising a blind signature method comprising the steps of: 
transforming a message with a first blinding transformation depend- 
ing on a first secret key, producing a first output; 
transforming said first output with a blinding transformation 

depending on a second secret key, producing a second output; 
25 developing a digital signature related to said second output depend- 
ing on a secret signing key; 
transforming said digital signature with a first unblinding 

transformation, depending on a first one of said first and 
said second secret keys, producing a third output; and 
30 transforming said third output with an unblinding transformation, 
depending on a second one of said first and second secret 
keys, producing a fourth output retaining a digital signature 
property related to said message, and said first and fourth 
output not readily determined to correspond without the first 



01 3931 3 



- 36 - 



and second secret keys. 



01 39313 



m 



r 



153 



-151 121 ^101 
C-103 



MOD MULTIPLY' \ 
152— f 122 
MOD t>EXP * T) 




1 



123 



KEY SOURCE 



126 104 



MOD INVERSE | 



L 



L. 



3g g£ 



MOD MULTIPLY 



155 



FIGURE 1 



j 



154 



124 102 



I — i 



156 



MOD b EXP P \ « — s — 



i | 



-157 



15" 



127 105 



r 



■ b MOD EXP p 


1 150 

1 








ri6i 





/77 



302 



FIGURE 3 ^3 



304 



1 " — , 

MOD MU1TIP1Y | 



-357 



REGISTER +301 




MOD SUBTRACT m 



305 



I 



-358 360 



359 

REGISTER ' + 305 



: t 361 

REGISTER ' f -307 



-2/3- 



0139313 



FIG.2a 



m 



m 



m 



FIG.2b 



m 



m 



FIG.2c 



203 

-J — . f 

blind - 



1 



1 



j unblind^ — 

204 
221 

ind I - 

? 1 




bl 



222 

— * — i t 
blind [ 



1.2 



unblind 
2^5 



T 

*2 



unblind 



i 



sign -223 



224 

J2L, , 232 , 

Mi"d 1 —1! ^ ] 



*1 
*2 



signt-233 



unblind f — i U Wind L_Ll 

^$5 L 1^ J 



b 

J-451 



REGISTER " 4 °' 1 



453- 



452 



P 

j-457 



SHIFTJ 405 



1 MOD MULTIPLY ^j -4Q2 



455-{ 



1 



-458 



403 



MOD MULTIPLY] 
454- 



FIGURE4 



i REGISTER 
4^6 I «M 



353- 



h551 -3jfe- 



REGISTER 



01 39313 

{-557 



in 



552 

s 



SH 



MOD ADD -502 



555{ 



1 



MOD ADD 



503 
4 



554- 



i REGISTER c 



FIGURE 5 



— 

556 



' FT '~505 



504 



n 

1 



m 

654- 



m 



s 

j-651 



SU BTRACT^] — QQr] 



J t 



-653 



602+ MOD ADD | FIGURE 6 

h655 



751 



H752 



ADD 



n 

754" 



753- 



s m 
SUBTRACT 



-702 



756 



3^701 



n 

-756 



COMPARE f-703 



SELECT c 



-757 



FIGURE 7 



— i — c 

758H 734 



